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Abstract. We give algorithms for computing with divisors on projective curves 
over finite fields, and with their Jacobians, using the algorithmic representation 
of projective curves developed by Khuri-Makdisi. We show that various desirable 
operations can be performed efficiently in this setting: decomposing divisors 
into prime divisors; computing pull-backs and push-forwards of divisors under 
finite morphisms, and hence Picard and Albanese maps on Jacobians; generating 
uniformly random divisors and points on Jacobians; computing Frobenius maps 
and Kummer maps; and finding a basis for the Z-torsion of the Picard group, 
where / is a prime number different from the characteristic of the base field. 

Introduction 

In [12] and [13], K. Khuri-Makdisi developed efficient algorithms for computing with divisors on 
projective curves over arbitrary fields. The goal of this article is to show that for curves over finite 
fields in Khuri-Makdisi's algorithmic representation, one can compute Frobenius morphisms and 
Frey-Riick pairings, pick uniformly random rational points on curves and their Jacobians (given 
the zeta function of the curve), perform various other operations specific to curves over finite fields, 
and compute Picard and Albanese maps induced by certain finite morphisms between curves. 

The curves we consider are complete, smooth and geometrically connected curves over a 
field k. For now we assume k is an arbitrary field; later we assume it to be finite. The basic idea 
is to describe such a curve X using a projective embedding via a very ample line bundle C. The 
curve is then represented by means of the finite fc-algebra obtained by taking the quotient of the 
homogeneous coordinate ring of X by the ideal generated by homogeneous elements of sufficiently 
large degree. Divisors on X are represented as subspaces of the /c-vector spaces of global sections 
of suitable powers of the line bundle C. Using this representation of the curve and of divisors on 
it, Khuri-Makdisi [12] has given algorithms for computing with divisors and elements of the Picard 
group. Taking advantage of some improvements to this basic idea, described in [13], his algorithms 
are currently the fastest known algorithms for general curves, asymptotically as the genus increases 
and measured in operations in k. 

The algorithms presented in this paper are relevant for computations with curves of large genus 
over finite fields. The author's interest in these was raised by algorithms for explicitly computing 
coefficients of modular forms. In [9] and the forthcoming book [8], Couveignes, Edixhoven and 
others describe an algorithm for computing coefficients of modular forms for the group SL2(Z). 
In the author's forthcoming thesis [3], their methods are generalised to modular forms for groups 
of the form Ti{n). The method used in each case is to compute two-dimensional modular Galois 
representations over finite fields. The basic problem is to find explicit realisations of group schemes 
over Q of the form J[m], where J is the Jacobian of a modular curve and m is a maximal ideal of 
the corresponding Hecke algebra. The approach taken is to approximate the coefficients of certain 
polynomials defining such group schemes, either over the complex numbers or modulo sufficiently 
many small prime numbers. The complex method has already been used by Bosman [2] for actual 
computations. The alternative method using finite fields was described by Couveignes in [9] for 
the modular curves Xi(5Z), where I is a prime number. The computations in this case can be done 
using (singular) plane models for these curves. For a more general modular curve X, it seems 
natural to take an embedding of X as a smooth curve in a higher-dimensional projective space, 
using the line bundle of modular forms of weight 2. Using the technique of modular symbols [18], 
one can compute g-expansions of these modular forms, as well as the zeta function of X. This 
immediately gives a representation of X that can be used for Khuri-Makdisi's algorithms, without 
having to write down equations. 



The paper is organised as follows. In the preliminary Section 1 we consider some computational 
problems related to finite algebras over a field; these are needed in the other two sections. In 
Section 2 we recall Khuri-Makdisi's algorithms for projective curves over arbitrary base fields, and 
we describe a number of extensions. Some of our algorithms require that wc are able to efficiently 
compute primary decompositions of finite /c-algebras. This condition is fulfilled, for example, if k 
is a finite field or a number field. We give algorithms for the following computational problems: 

(1) finding the decomposition of a divisor as a linear combination of prime divisors; 

(2) computing pull-backs and push-forwards of divisors under finite morphisms; 

(3) computing Picard and Albanese maps induced by finite morphisms of curves. 

We also consider some more technical problems that are needed for the rest of the paper. In 
Section 3 we describe the rest of our algorithms, which are specific to curves over finite fields. 
These are the following: 

(1) computing the Probenius map on points of the curve, and of its Jacobian, that are defined 
over finite extensions of the base field; 

(2) generating uniformly random effective divisors of a given degree, and uniformly random points 
of the Jacobian, if the zeta hmction of the curve is known; 

(3) computing Frey-Riick pairings on the Jacobian. 

By combining the above methods, we also show that the methods of Couveignes [4] for computing 
Kummer maps of order I and for finding a basis for the /-torsion of the Picard group, where I is a 
prime number different from the characteristic of the base field, can be extended to our situation, 
again under the assumption that we know the zeta function of the curve. 

Remarks. (1) When the field k is finite, measuring the running time in field operations is essentially 
the same as measuring it in bit operations. However, if fc is a number field, it is impossible to avoid 
numerical explosion of the data describing the divisors during compiitations, so that the running 
time in bit operations is much worse than that counted in bit operations. Using lattice reduction 
algorithms to reduce the size of the data between operations should not be expected to solve this 
problem; see Khuri-Makdisi [13, page 2214]. 

(2) Many of the algorithms wc describe are probabilistic. All of these are of the Las Vegas type, 
meaning that the running time depends on certain random data generated during the execution 
of the algorithm, but that the outcome is guaranteed to be correct. The epithet Las Vegas distin- 
guishes such algorithms from those of the Monte Carlo type, where the randomness infiuences the 

correctness of the outcome instead of the running time. 

(3) The algorithms mentioned in this paper have a running time that is bounded by some poly- 
nomial in various quantities that are indicated in each case. Obtaining more detailed estimates 
should not be difficult, but has at the time of writing not yet been done. 

Acknowledgements . I would like to thank Johan Bosman. Claus Diem, Bas Edixhoven, Kamal 
Khuri-Makdisi and Hendrik Lenstra for useful conversations and correspondence on topics related 
to this paper. 
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1. Algorithms for computing with finite algebras 



In this section wo describe techniques for solving two computational problems about finite algebras 
over a field. The first is how to find the primary decomposition of such an algebra; the second is 
how to reconstruct such an algebra from a certain kind of bilinear map beteen modules over it. 

The algebras to which we are going to apply these techniques in the next section are of the 
form T{E, Oe), where E is an effective divisor on a smooth curve over k. In this section, however, 
we place ourselves in the more general setting of arbitrary finite commutative fc-algebras. 

1.1. Primary decomposition and radicals 

Let A; be a field with the following two properties: 

(1) A: is perfect; 

(2) we have a (probabilistic) algorithm to factor polynomials / € k[x\ that takes an (expected) 
number of operations in k that is bounded by a polynomial in the degree of /. 

For such a field k there exist (probabilistic) algorithms to find the primary decomposition of a finite 
commutative fc-algebra A that finish in an (expected) number of operations in k that is bounded 
by a polynomial in [^4 : fc]. Such algorithms have been known for some time, but do not seem to 
be easily available in published form; see Khuri-Makdisi's preprint [13, draft version 2, §7]. For 
an algorithm to find the primary decomposition of arbitrary (not necessarily commutative) finite 
algebras over finite fields, see Eberly and Giesbrecht [7]. 

1.2. Reconstructing an algebra from a perfect bilinear map 

Let ^ be a commutative ring. If M, A'^ and O are free A-modules of rank one and 



lj,:MxN^O 



is an j4-bilinear map, we say that ji is perfect if it induces an isomorphism 



of free ^-modules of rank 1 . 

Now let fc be a field, and let a finite commutative fc-algebra A be specified implicitly in the 
following way. We are given /c-vector spaces M and of the same finite dimension, together with 
a fc-bilinear map 

H-.MxN^O 

We assume there exists a commutative /c-algebra A such that M, N and O are free A-modules of 
rank 1 and fi is a perfect A-bilinear map. The following observation implies that A is the unique k- 
algebra with this property, and also shows how to compute A as a subalgebra of Endfe M, provided 
we are able to find a generator of N as an A-module. As could be expected, the roles of M and N 
can be interchanged. 

Lemma 1.1. In the above situation, let g be a generator of the A-module N. The ring homo- 
morphism A — >■ Endfe M sending a to multipUcation by a is, as an A-linear map, the composition 
of 



A^N 
a I — > ag 

and 

N — > Endfe M 
n\ — > ii{ ,g)~'^ofj,{ ,n). 

In particular, the image of A in End^ M equals the image of the second map. 

Proof . This is a straightforward verification. □ 
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In the case where A; is a finite field, a way to find a generator for iV as an ^-module is simply 
to pick random elements g G N until we find one that generates N. Since /j. is perfect, checking 
whether g generates A'^ comes down to checking whether /u( , g): M — >■ O is an isomorphism. In 
particular, wc can do this without knowing A. 

To get a reasonable expected running time for this approach, we need to ensure that N contains 
sufficiently many elements that generate it as an ^4- module. Since N is free of rank 1, the number 
of generators equals the number of units in A. Let us therefore estimate under what conditions a 
random element of A is a unit with probability at least 1/2. Write d for the degree of A over k. 
Decomposing A into a product of finite local fc-algebras, and noting that the proportion of units 
in a finite local A;-algebra is equal to the proportion of units in its residue class field, we see that 

#AX ^ (#fcX)'^ = (l- ^ 



#A - #k'i V 

equality occurs if and only if A is a product of d copies of k. Now it is not hard to show that 

^k>2d => (l- ^r) > ^ 



#kj - 2 

Taking a finite extension k' of k of cardinality at least 2(i, wc therefore sec that a random element 
of Afc' is a unit with probability at least 1/2. There are well-known algorithms to generate such 
an extension, such as that of Rabin [15], which runs in probabilistic polynomial time and simply 
tries random polynomials until it finds one that is irreducible, and the deterministic algorithm of 
Adleman and Lenstra [1], which is only known to run in polynomial time under the generalised 
Riemann hypothesis. 

Algorithm 1.2 (Reconstruct an algebra from a bilinear map). Let fc be a finite field, let ^4 be a 
finite fc-algebra, and let 

H-.M xN ->-0 

be a perfect A-bilinear map between free A- modules of rank 1. Given the coefficients of ^ with 
respect to some k-hases of M, N and O, this algorithm outputs a fc-basis for the image of A 
in Endfc M, consisting of matrices with respect to the given basis of M. 

1. Choose an extension k' of k of degree i°s™a.^{2[^^.fc],g} ^ ^ j^i ^ qi (jgj^Q^g ^j^g 
base extensions of M, N, O and n to k' . 

2. Choose a uniformly random element g € N'. 

3. Check whether fi'{ ,g):M' — )• O' is an isomorphism; if not, go to step 2. 

4. For n ranging over a fc'-basis of A'^', compute the endomorphism 

a„ = n'{ , g)-^ o , n) € Endfc/ M'. 
Let A' C Endfe' M' denote the fc'-span of the a„. 

5. Output a basis for the fc- vector space End^ M (lA'. 

Analysis. It follows from Lemma 1.1 that A' equals the image of k' A in End^/ M. This implies 
that the basis returned by the algorithm is indeed a fc-basis for the image of A in End^ M. Because 
of the choice of k', steps 2 and 3 are executed at most twice on average. It is therefore clear that 
the expected running time of the algorithm is polynomial in [A : k] and log o 

If k is infinite (or finite and sufficiently large), we have the following variant. Let S be a finite 
subset of k, and let F be a fc- vector space of dimension d with a given basis vi, . . . , Vd.. Consider 
the set 

d 

Ve = aiVi I (71 , . . . , (Td e S} 

i=l 

of T,-linear combinations oi vi, .... w„. Choosing the C7j uniformly randomly in S, we get the 
uniform distribution on 14;. U Hi, . . . , Hi are proper linear subspaces of V, then a imiformly 
random element of Vs lies in at least one of the Hi with probability at most //#S. Now if A is a 
finite commutative fc-algebra, it contains at most [A : k] maximal ideals. This implies that if S is 
a finite subset of k with ^T, > 2[A : k], then a S-linear combination of any fc-basis of A is a unit 
with probability at least 1/2. This leads to the following variant of Algorithm 1.2. 
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Algorithm 1.3 (Reconstruct an algebra from a bilinear map). Let A; be a field, let A be a finite 
fc-algebra, and let 

l^:MxN^O 

be a perfect j4-bilinear map between free A- modules of rank 1. Suppose that we can pick uniformly 

random dements of some subset S of fc with ^T, > 2[A : k]. Given the coefficients of /i with respect 
to some fc-bases of M, and O, this algorithm outputs a fc-basis for the image of A in End^ M, 
consisting of matrices with respect to the given basis of M. 

1. Choose a uniformly random S-linear combination g of the given basis of N. 

2. Check whether /u( M O is an isomorphism; if not, go to step 2. 

3. For n ranging over a fc-basis of N, compute the endomorphism 

an = M( ,5')"^om( ,n)eEndfeM, 

and output the a„. 

Analysis. This works for the same reason as Algorithm 1.2. o 

Let us sketch how to solve the problem if k is an arbitrary field. Let p be the characteristic 
of fc. If p = or p > 2[A : d], we can apply Algorithm 1.3 with T, = {0,1, . . . ,2[A : d] - 1}. 
Otherwise, wc consider the subficld ko of k generated by the coefficients of the multiplication table 
of A over k. Then A is obtained by base extension to k of the finite fco-algebra Aq defined by the 
same multiplication table. We can check whether ko is a finite field with #A;o < 2d by checking 
whether each coefficient of the multiplication table satisfies a polynomial of small degree. If this 
is the case, then we compute an Fp-basis and multiplication table for fco and apply Algorithm 1.2 
to ^0 over fco- Otherwise we obtain at some point a finite subset E of fc, with #E > 2d, consisting 
of polynomials in the coefficients of the multiplication table. We then apply Algorithm 1.3 to A 
over fc with this S. 

2. Computing with divisors on a curve 

In this section we describe a collection of algorithms, developed by Khuri-Makdisi in [12] and [13], 
that allow us to compute efficiently with divisors on a curve over a field. In particular, we will 
describe algorithms for computing in the Picard group of a curve. Many of the results of this 
section can be found in [12] and [13]; however, §§ 2.6, 2.9 and 2.11 seem to be new. 

2.1. Representing the curve 

Let X be a complete, smooth, geometrically connected curve over a field fc. We fix a line bundle £ 
on X such that 

deg£ >2g + l. 

Then £ is very ample (see for example Hartshorne [11, IV, Corollary 3.2(b)]), so it gives rise to a 
closed immersion 

ic:X ^pr{x,/:) 

into a projective space of dimension degC—g. (We write for the projective space of hyperplanes 
in a fc-vector space V.) The assumption that deg £ > 2^+1 implies moreover that the multiplication 
maps 

^l^J■.^(x, c®') ®k r(x, £®j') t{x, £®('+j)). 

are surjective for alH, j > 0, or equivalently that the embedding ic is projectively normal. This is 
a classical theorem of Castelnuovo, Mattuck and Mumford; see for example Lazarsfeld [14, § 1.1]. 

Wc write Sx for the homogeneous coordinate ring of X with respect to the embedding ic. By 
the fact that ic is projectively normal, we have a canonical isomorphism 

Sx^^T{X,C^') 

i>0 
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of graded fc-algebras; see Hartshorne [11, Chapter II, Exercise 5.14]. It turns out that to be able to 
compute with divisors on X we do not need to know the complete structure of this graded algebra. 
For all /i > we define the finite graded fc-algebra S^^ as Sx modulo the ideal generated by 

homogeneous elements of degree greater than h. The above isomorphism shows that specifying S*^-* 
is equivalent to giving the fc- vector spaces r(X, ioi 1 < i < h together with the multiplication 
maps Hi J between them for i+ j < h. 

When wc speak of a projective curve X in the remainder of this section, we will assume without 
further mention that X is a complete, smooth and geometrically connected curve of genus g >0, 
and that a line bundle C of degree at least 2g + l has been chosen. We will often write Cx for this 
line bundle and gx for the genus of X to emphasise that they arc part of the data. 

In the algorithms in this section, the curve X is part of the input in the guise of the graded 
/c-algebra S^^ for some sufficiently large h. A lower bound for h is specified in each case. One 
way to specify the multiplication in S^^ is to fix a basis for each of the spaces T{X, >C®'), and to 
give the matrices for multiplication with each basis element. However, as Khuri-Makdisi explains 
in [13], a more efficient representation is to choose a trivialisation of £ (and hence of its powers) 
over an effective divisor of sufficiently large degree or, even better, at sufficiently many distinct 
rational points of X, so that the multiplication maps can be computed pointwise. 

Remarks. (1) The integers g and deg£ can of course be stored as part of the data describ- 
ing X. However, they can also be extracted from the dimensions of the fc- vector spaces T{X,jC) 
and r(X, and hence from S^^; this follows easily from the Ricmann Roch formula. 

(2) If the degree of £ is at least 2g + 2, then the homogeneous ideal defining the embedding ic is 
generated by homogeneous elements of degree 2, according to a theorem of Fujita and Saint-Donat; 
see Lazarsfcld [14, § 1.1]. This makes it possible to deduce equations for X from the fc-algebra S)^ ■ 
However, wc will not need to do this. 

(3) The representation of curves described by Khuri-Makdisi in [12] and [13] is especially suited 
for modular curves. Namely, we can represent a modular curve X using the projective embedding 
given by a line bundle of modular forms, and computing the fc-algebra S^"^ for a given h comes 
down to computing g-expansions of modular forms of a suitable weight to sufficient precision. This 
can be done using modular symbols; see Stein [18]. If the modular curve has at least 3 cusps (which 
is the case, for example, for Xi(n) for all n > 5), then we can restrict ourselves to modular forms 
of weight 2, for which the formalism of modular symbols is particularly simple [18, Chapter 3]. 

2.2. Representing divisors 

Let X be a projective curve of genus g in the sense of § 2.1, and let £ be the line bundle giving the 
projective embedding of X. To represent divisors on X, it is enough to consider effective divisors, 
since an arbitrary divisor can be represented by a formal difFcrcncc of two effective divisors. 

Let D be an effective divisor on X such that £(—£>) is generated by global sections. In terms 
of the projective embedding, this means that D is the intersection of X and a linear subvariety 
of Pr(X, £), or equivalently that D is defined by a system of linear equations. Such a divisor can 
be represented as the subspace T{X. C{—D)) of T{X, £) consisting of sections vanishing on D. The 
codimension of r(X, £(—£>)) in r{X,£) is equal to the degree of D. 

A sufficient condition for the line bundle C{—D) to be generated by global sections is 

degL'<deg£-25; (2.1) 

see for example Hartshorne [11, IV, Corollary 3.2(a)]. However, we note that in general not every 
subspace of codimension at most deg£ — 2g is of the form T{X, £{—D)) for an effective divisor D 
of the same degree. 

Remark. This way of representing divisors comes down (at least for divisors of degree d < deg£ — 
2g) to embedding the d-th symmetric power of X into the Grassmannian variety parametrising sub- 
spaces of codimension d in r{X, £) and viewing divisors of degree d as points on this Grassmannian 
variety. 
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It will often be necessary to consider divisors D of degree larger than the bound dcg C — 2g 
of (2.1). In such cases we can represent f as a subspace of r(X, for i sufficiently large such 
that 

degD < ideg£ - 2sf, (2.2) 

provided of course that we know S^'' for some h> i. 

Khuri-Makdisi's algorithms rest on the following two results. The first is a generalisation of 
the theorem of Castelnuovo, Mattuck and Mumford mentioned above. It says in effect that to 
compute the space of global sections of the tensor product of two line bundles of sufficiently large 
degree, it is enough to multiply global sections of those line bundles. 

Lemma 2.1 (Khuri-Makdisi [12, Lemma 2.2]). Let X be a complete, smooth, geometrically con- 
nected curve of genus g over a field k, and let A4 and J\f be line bundles on X wliose degrees are 
at least 2g + 1. Then the canonical k-linear map 

r{X,M)^kr{X,Af) ^ T{X, M^ox^f) 

is surjective. 

The second result shows how to find the space of global sections of a line bundle that vanish 
on a given effective divisor, where this divisor is represented as a subspace of global sections of a 
second line bundle. 

Lemma 2.2 (Khmi-Makdisi [12, Lemma 2.3]). Let X be a complete, smooth, geometrically con- 
nected curve of genus g over a field k, let A4 and M be line bundles on X such that J\f is generated 
by global sections, and let D be any effective divisor on X. Then the inclusion 

r{X,M{-D)) C {sgT{X,M) I sr{X,J\f) CT{X,M<»N'{-D))} 

is an equality. 

Thanks to these two lemmata, one can give algorithms to do basic operations on divisors; see 
Khuri-Makdisi [12, §3]. For example, we can add, subtract and intersect divisors of sufficiently 
small degree, and we can test whether a given subspace of r{X, £®*) is of the form r(X, £'^*(— Z))) 
for some effective divisor D. See also Algorithm 2.11 below for an example where Lemmata 2.1 
and 2.2 are used. 

2.3. Deflation and inflation 

An ingredient that Khuri-Makdisi uses in [13] to speed up the algorithms is deflation of subspaces. 
Suppose we want to compute the space T{X,M{—D)) using Lemma 2.2 in the case where M = C®^ 
and M = C®-' {—E) with i and j positive integers and where D and E are effective divisors satisfying 
(2.2). On the right-hand side of the equality given by Lemma 2.2, we may replace T{X,J\f) by any 
basepoint-free subspace; this is clear from the proof of [12, Lemma 2.3]. It turns out that there 
always exists such a subspace of dimension 0(log(degA/')), and a subspace of dimension 2 exists if 
the base field is cither infinite or finite of sufficiently large cardinality. Moreover, one can efficiently 
find such a subspace by random trial; see Khuri-Makdisi [13, Proposition/ Algorithm 3.7]. 

Suppose we are given a basepoint-free subspace W of r(X, (—£))) for some i and D such 
that r(X, £®'(— £>)) is basepoint-free. Then we can reconstruct the complete space T{X, £®'(— £))) 
from W . This procedure is called inflation. To describe how this can be done, we first state the 
following slight generalisation of a result of Khuri-Makdisi [13, Theorem 3.5(2)]. 

Lemma 2.3. Let X be a complete, smooth, geometrically curve of genus g over a field k, and let 
M. and J\f be line bundles on X. Let V be a non-zero subspace ofT{X,M.), and let D be the 
common divisor of the elements of V. If the inequality 

-degM + degAf + degD >2g-l 

is satisfied, the canonical k-linear map 

V^kr{X,J\f) ^^{X,M<»Ox^f{-D)) (2.3) 
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is surjective. 

Proof. We note that A4{—D) is basepoint-free by definition, since we can view V as a, subspace 
of r{X,M{—D)) and the elements of V have common divisor as sections of M{—D). We also 
note that deg^M > degD. Therefore the assumption on the degrees of A4, J\f and D implies the 
inequalities 

degj\f> 2g-l 

and 

deg{M(E>JV{-D)) >2g-l. 

After extending the field k, we may assume it is infinite. Then there exist elements s,t gV with 
common divisor D; see Khuri-Makdisi [13, Lemma 4.1]. The space 

sr{X,J\f) + tT{X,Af) 

lies in the image of (2.3), so it suffices to show that 

dimk{sT{X,J\f)+tT{X,J\f)) = dimkT{X,M Af{-D)). 

Write 

divs = D + E and dWs = D + F 
where E and F are disjoint effective divisors. Then we have 

dimfe(sr(X,.A/') + tr(X, jV)) = 2dimfc r(X,^) - dimfe(sr(X,^) n tr{x,j\f)) 

= 2dimkr{X,J\f) 

- dimfe T{X, M O J\f{-D - E - F)) 
= 2 dimfc r{X,J\f) - dimfe r(X, M"^ J^{D)). 

The last equality follows from the fact that multiplication by st induces an isomorphism 

M^'iD) ^ M{-D -E-F). 

Using the fact that the various line bundles have degrees at least 2^ — 1, we see that 

dmik{sT{X,J\f) + tT{X,J\f)) = 2(1 - 5 + degM) -{l-g + deg ®J\f{D)) 

= 1 — g + deg M. + degAf — deg D 
= dimfe r(X,A^0j\A(-£>)). 

This finishes the proof. □ 

We can now describe how to inflate a basepoint-free subspace W of r(X, £®'(— £))). Namely, 
we choose a positive integer j such that 

(i - i) deg £ + degD >2g-l. 

By Lemma 2.3 we can then compute T{X, C®^'-+^\-D)) as the image of the bilinear map 

w®kT{x,c'^i) — ^ r(x,/:®('+j)). 

Then we compute 

T{X,C®\-D)) {s e T{X,C®') I sT{X,C®') C T{X, C^'^'+^\-D))] 

using Lemma 2.2. Wc note that for this last step we can use a small basepoint-free subspace 
of r(X, £®-' ) computed in advance. 



2.4. Decomposing divisors into prime divisors 

Let X be a complete, smooth, geometrically connected curve of genus g over a field k, with a 
projective embedding via a line bundle C as in §2.1. The problem we are now going to study is 
how to find the decomposition of a given divisor on X as a linear combination of prime divisors. 
We will see below that this can be done if we are given the algebra for sufficiently large h 
and if we are able to compute the primary decomposition of a finite commutative A;-algebra. We 
have seen in § 1.1 that this is possible in the case where k is perfect and we have an algorithm for 
factoring polynomials in one variable over k. 

Let z be a positive integer, and let D be an effective divisor such that 

deg D < i deg £ — 2g + 1. 

We view D as a, closed subscheme of X via the canonical closed immersion 

For every line bundle M on X, the fc-vector space r{D,j'^M) is in a natural way a free module 
of rank one over r{D, On)- The multiplication map 

lii,i:T{X,C'^^l X r(x,£®*) r(X,£®2') 

descends to a bilinear map 

of free modules of rank 1 over T{D, On)- This map is perfect in the sense of § 1.2. 

We now assume that the graded fc-algebra as in §2.1 is given for some integer h > 2. 
From the subspacc T{X,C^H-D)) of r(X,£®*) we can then determine r(£),j|,£®') as a A;-vector 
space by means of the short exact sequence 

r(X, £»*(-£))) r(X,£®') T{D,j*jjjC^') 0. (2.4) 

(Note that exactness on the right follows from the assumption that deg£®'(— D) > 2g — 1.) 
Similarly, wc can compute r(_D, from r(X, _D)) using the same sequence with i 

replaced by 2i. We can then determine the bilinear map |J.f^ induced by /Uj^j by standard methods 
from linear algebra. 

We then the method described in § 1.2 to compute the fc- algebra r{D,OD) together with its 
action on r(£),j^£®'). Next we determine the primary decomposition of r(£), Co), say 

T{D, Od) = Ai X X ■ ■ ■ X Ar, 

where each factor Ai is a finite local fc-algebra with maximal ideal P^; we assume the field k is 

such that wc can do this (sec § 1.1). Such a prime ideal Pi corresponds to a prime divisor in the 
support of D, and the corresponding multiplicity equals 

[A, : k] 

rui - 



[A^/P^ : fc] ■ 

Algorithm 2.4 (Decomposition of a divisor). Let X be a projective curve over a field k. Let i be 
a positive integer, and let D be an effective divisor such that 

deg D < idegCx - 2gx + 1. 

Suppose that we have a (probabilistic) algorithm to compute the primary decomposition of a 
finite commutative fc-algebra A with (expected) running time polynomial in [A : k], measured 
in operations in k. Given the /c-algebra S^^^ and the subspaces r(X, £^*(— £))) of r(X, £^*) 
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and r{X,£^^^(—D)) of r(X, this algorithm outputs the decomposition of £> as a linear 
combination of prime divisors as a list of pairs {P,mp), where P is a prime divisor and mp is the 
multiplicity of P in D. 

1. Compute the spaces r{D,j})Cfr') and T{D,j^jC^^^) using (2.4) and the analogous short exact 
sequence with 2i in place of i. 

2. Compute the fc-bilinear map /xfj from Hi^i. 

3. Compute a fc-basis for T{D, Od) as a linear subspace of Endfe T{D, j'^C'^'), where elements of 
the latter /c-algebra are expressed as matrices with respect to some fixed basis of r(Z), 

as described in § 1.2. 

4. Compute the multiplication table of r(£', Od) on the fc-basis oiT{D, Od) found in the previous 
step. 

5. Find the primary decomposition of T{D, Od)- 

6. For each local factor A computed in the previous step, let Pa denote the maximal ideal of A, 
output the inverse image of Pa ■ T{D, j*DCf) in T{X, Cf) and the integer [A : k\/[A/PA : k]. 

Analysis. It follows from the above discussion that the algorithm returns the correct result. It 
is straightforward to check that the running time is polynomial in i and deg£xj measured in 
operations in fc. o 

A special case of this algorithm is when D is the intersection of X with a hypersurface of 
degree z — 1. Let s be a non-zero section of L"^^ defining this hypersurface. The subspaces that 
are used in this algorithm can then be computed as 

T{X,jC,f{-D))=sT{X,Cx) 

and 

V{X,Cf\-D)) = sT{X,cf'^^^). 
2.5. Finite morphisms between curves 

Let us now look at finite morphisms between curves. A finite morphism 

f:X^Y 

of complete, smooth, geometrically connected curves induces two functors 

/*: {line bundles on y} ^ {line bundles on X} 

and 

N/: {line bundles on X} — >■ {line bundles on y}. 

Here f*J\f denotes the usual inverse image of the line bundle J\f on Y, and N/A^ is the norm of 
the line bundle on X under the morphism /. 

Let us briefly explain the notion of the norm of a line bundle. The norm functor is a special case 
(that of Gm-torsors) of the trace of a torsor under a finite locally free morphism; see Deligne [17, 
expose XVII, n°^ 6.3.20-6.3.26]. We formulate the basic results for arbitrary finite locally free 
morphisms of schemes 

f:X^Y. 

In this situation there exists a functor 

N/: {line bundles on X} — ^ {line bundles on y} 
together with a collection of homomorphisms 
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of sheaves of sets, for all line bundles C an X, functorial under isomorphisms of line bundles on X, 
sending local generating sections on X to local generating sections on Y and such that the equality 

^j{xl) = ^f{x)-nj{l) 

holds for all local sections x of f^Ox and I of Here N/: f^,Ox Oy denotes the usual norm 
map for a finite locally free morphism. Moreover, the functor Nj together with the collection of 
the is unique up to unique isomorphism. Instead of N/ we also write ^x/y if the morphism / 
is clear from the context. 

The basic properties of the norm functor are the following [17, expose XVII, n° 6.3.26]: 

(1) the functor N/ is compatible with any base change Y' — > Y; 

(2) if jCi and £2 are two line bundles on X, there is a natural isomorphism 

N/(£i (^ox £2) = N/£i (^o^ N/£2; 

(3) if X Y — ^ Z are finite locally free morphisms, there is a natural isomorphism 

Ngc/^NgON/. 



Furthermore, there is a functorial isomorphism 

N/£ ^ Homoy (detoy f*Ox, detoy /*£); (2.5) 

see Deligne [17, expose XVIII, n° 1.3.17], and compare Hartshorne [11, IV, Exercise 2.6]. 

We now consider projective curves X and Y as defined in § 2.1. Suppose we have a finite 
morphism 

f:X^Y 

with the property that / is induced by a graded homomorphism 

f*:SY^Sx 

between the homogeneous coordinate rings of Y and X, or equivalently by a morphism of the 
corresponding affine cones over X and Y. Then /# induces an isomorphism 

Lx 

of line bundles on X\ see Hartshorne [11, Chapter II, Proposition 5.12(c)]. In particular, this 
implies 

deg Lx = deg / • deg Ly ■ 

We represent a finite morphism /: X — > Y by the fc-algebras and for some h > 2, 
together with the fc-algebra homomorphism 

induced by f^: Sy — >■ Sx, given as a collection of linear maps r(F, £®*) — >• r(X, £^*) compatible 
with the multiplication maps on both sides. 

In the following, when we mention a finite morphism, f: X ^ Y between projective curves, we 
assume that the A:-algebras S^^ and Sy^ and the homomorphism f'^-.Sy'' — >■ given for 

some h>2. A lower bound for h will be specified in each of the algorithms that we describe. 

Remark. The homomorphism gives rise to an injective fc-linear map 

T{Y,Cy)^T{XXx). 

Given this map, we can reconstruct S{Y) as a subalgebra of S{X) by noting that S{Y) is generated 
as a fc- algebra by T(Y, Cy ). 
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2.6. Images, pull-backs and push-forwards of divisors 

Let us consider a finite morpliism f:X^Y between complete, smooth, geometrically connected 
curves over a field k. Such a morphism / induces various maps between the groups of divisors 
on X and on Y. 

First, for an effective divisor D on X, we write f{D) for the schematic image of D under /. 
The definition implies that the ideal sheaf Oyi—fiD)) is the inverse image of ft,Ox{—D) under 
the natural map Oy f*Ox- 

Second, for any divisor D on X, we have the "push-forward" of D by /; see Hartshorne [11, 
IV, Exercise 2.6]. If P is a prime divisor on X, then its image f{P) under / is a prime divisor 
on Y, the residue field k{P) is a finite extension of fc(/(P)), and /*P is given by the formula 

f.P=[k{P):k{f{P))].f{P). (2.6) 

The residue field extension degree at P can simply be computed as 

degP 
"deg/(P)- 

Third, for any divisor E on Y, we have the "pull-back" f*E of E by /; see for example 
Hartshorne [11, page 137]. If Q is a prime divisor on Y, then f*Q is given by the formula 

rQ= Yl (2-7) 

P:/(P)=Q 

where P runs over the prime divisors of X mapping to Q and e(P) denotes the ramification index 
of / at P. 

Both and /* are extended to arbitrary divisors on X and Y by linearity. Note that (2.6) 
and (2.7) imply the well-known formula 

fJ*E={degf)E 

for any divisor £^ on y. Furthermore, if E is an effective divisor on Y , we have an equality 

f*E = ExYX 

of closed subschemes of X, and if denotes the ideal sheaf of E, then its inverse image f~^lE is 
the ideal sheaf of f*E. 

Remark. The map D i-^ f{D) is not in general linear in D. We do not extend it to the divisor 
group on X, and in fact will only need schematic images of prime divisors on X in what follows. 

In contrast, the maps and /* are linear by definition. 

Now assume / is a finite morphism between projective curves, in the sense of § 2.5. In par- 
ticular, we have a homomorphism f^-.Sy Sx of graded fc-algebras. We will give algorithms to 
compute the image and the push-forward of a divisor on X as well as the pull-back of a divisor 
on Y. 

The schematic image f{D) of an effective divisor D on X can be computed using the following 
obvious algorithm. 

Algorithm 2.5 (Image of a divisor under a Unite morphism). Let f: X ^ Y he a. finite morphism 
between projective curves, let z be a positive integer, and let D be an effective divisor on X. Given 
the fc-algebras S^^ and SyK the homomorphism Sy^ — )• S^^ and the subspace T{X, C'x'{—D)) 
of r(X,£|'), this algorithm outputs the subspace T{Y,Cf{-,f{D))) oiT{Y,Cf). 

1. Output the inverse image of the subspace T{X,C'f^{—D)) of T{X,Cf^) under the linear map 

T{Y,Cf)^T{XXf)- 

Analysis. The definition of f{D) implies that £Y^{-'f{D)) equals the inverse image of I?) 
under the natural map Cp .f*Cf. Taking global sections, we sec that T {Y, {~ f{D))) is the 
inverse image of r{X,Cf{-D)) under the natural map r{Y,Cp) r{X,£f ). It is clear that 
the algorithm needs a number of operations in k that is polynomial in deg£x and i. o 
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Remark. In the above algorithm, there are no restrictions on the degrees of D and f{D). However, 
f{D) is not uniquely determined by r(y, £®*(— /(D))) if its degree is too large. 

The algorithm to compute pull-backs that we will now give is based on the fact that the pull- 
back of an effective divisor E is simply the fibred product E X, viewed as a closed subschemc; 
oi X. In particular, the algorithm does not have to compute the ramification indices, so instead 
we can use it to compute ramification indices. Namely, if P is a prime divisor on X, we see 
from (2.7) that the ramification index at P equals the multiplicity with which P occurs in the 
divisor /*(/(P)). 

Algorithm 2.6 (Pull-back of a divisor under a finite morphism). Let f:X — > Y be a finite 
morphism between projective curves. Let i and j be positive integers, and let E be an effective 
divisor on Y such that 

deg/ • deg.B < idegCx - ^gx> deg.B < idegCy - ^Qy 

and 

(i - i) degCx + deg/ • degE > 2gx - 1. 

(If wc take j > i + 1, the last equality does not pose an extra restriction on E.) Given the k- 
algebras S'j^^"''' and Sy'^''\ the A:-algebra homomorphism f^-.Sy^^^ S^j^^'''' and the subspace 
T{Y,£f{-E}} of r{Y,£f), this algorithm outputs the subspace r{X,£f{-f*E)) of r{X,£f). 

1. Compute the image W of r(y, £®'(— S)) under the linear map 

f*:r{Y,£f)^TiX,£f). 

2. Compute the space r{X, £%'+^ {- f* E)) as the product of and r{X,£%^) (see Lemma 2.3). 

3. Compute T{X,£^'-{-f*E)) using Lemma 2.2, and output the result. 

Analysis. The ideal in Sy defining E is generated by the linear forms vanishing on E, and the ideal 
of Sx defining f*E is generated by the pull-backs of these forms. This shows that f*E is defined 
by the forms in W. In the second and third step, we compute the space of all forms vanishing 
on f*E is computed, i.e. the inflation of W. That the method described is correct was proved 
in § 2.3. The running time is clearly polynomial in deg£x, i and j. o 

Algorithm 2.7 (Push-forward of a divisor under a finite morphism). Let f: X ^ Y he a. finite 
morphism between projective curves over a field k, let i be a positive integer, and let D be an 
effective divisor on X such that 

deg D < i deg £x — 2gx — 1 and deg D < i deg £y — 2gy . 

Suppose that we have a (probabilistic) algorithm to compute the primary decomposition of a 
finite commutative fc-algebra A with (expected) running time polynomial in [A : /c], measured in 
operations in k. Given the fc-algebras S'^*'' and Sy^\ the homomorphism f^-.Sy^^ S^^'' and 
the subspace T{X,£f{-D)) of r(X,£|'), this algorithm outputs the subspace r(F,£®'(-/*^)) 
of r(F,£f ). 

1. Compute T{X,£T\-D)) as the product of r(X,£|') and T{X,£fi-D)) (see Lemma 2.1). 

2. Find the decomposition of D as a linear combination '^^pUpP of prime divisors using Algo- 
rithm 2.4. 

3. For each prime divisor P in the support of D, compute the space T(Y,£®'^{—f(P))) using 
Algorithm 2.5, and compute [k{P) : k{f{P))]. 

4. Compute the space r(y,£®'(— /*!))), where 

/.D = ^np[A;(P):fc(/™/(n 
p 

and output the result. 

Analysis. The correctness of the algorithm follows from the definition of /*. It runs in (probabilis- 
tic) polynomial time in deg£x and i, measured in field operations in k. o 
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We include here another algorithm that computes the push-forward of an effective divisor 
under a non-constant rational function X in a slightly different setting than before. We only 

assume X to be given as a projective curve, and we represent effective divisors on as zero loci 
of homogeneous polynomials. For simplicity, we only consider divisors of degree at most deg£x- 

Algorithm 2.8 (Push-forward of an effective divisor by a rational function). Let X be a projective 
curve over a field k, let i be a positive integer, let ijj he a non-constant rational function on X 
given as the quotient of two sections s,t £ r(X, without common zeroes, and let D be an 
effective divisor on X of degree d < degCx- Suppose that we have a (probabilistic) algorithm to 
compute the primary decomposition of a finite commutative fc-algebra A with (expected) running 
time polynomial in [A : fc], measured in operations in k. Given the fc-algebra ^nd the 

subspacc T{X, C'^{—D)), this algorithm outputs the homogeneous polynomial of degree d defining 
the closed subscheme of P^. (This polynomial is unique up to multiplication by elements 
of fc^) 

1. Compute the space T{X, C^{—D)), and use Algorithm 2.4 to compute the decomposition 
of D as a linear combination D = nqQ of prime divisors. 

2. For each prime divisor Q occurring in the decomposition of D: 

3. Compute the base change X^(^q), where k{Q) is the residue field of Q. Compute the 
primary decomposition of Qk{Q) and pick a rational point Q' in it. 

4. Compute r(Xj,(Q), £|^^(— Q')), then compute the (one-dimensional) intersection of this 
space with k ■ s + k ■ t, and express some generator of this intersection as bgs — aqt 
with UQjbg e k{Q). The element tp{Q') G P^{k{Qj) now has homogeneous coordinates 
{aq : bq). 

5. Compute the homogeneous polynomial 

U,Q = ^k{q)/k{bqu - aqv) e k[u, v] 

defining 

6. Output the homogeneous polynomial 

U,D = '[[fM ^ ^["'^] 

Q 

of degree d defining ip^,D. 

Analysis. It is straightforward to check that the algorithm is correct and has expected running 
time polynomial in i and degCx, counted in operations in A;. o 

2.7. The norm functor for effective divisors 

Let X be a proper, smooth, geometrically connected curve over a field fc, and let E be an effective 
divisor on X. We view E as a. closed subscheme of X, finite over k, and we write 

Je-.E^X 

for the closed immersion of E into X. For the purposes of § 3.6 below, we will need an explicit 
description of the norm functor //. (for the canonical morphism E — >■ Spec k) that we saw in § 2.5. 
We view 'Ns/k as a functor from free OB-modules of rank 1 to fc- vector spaces of dimension 1. 
Let be a line bundle on X. We abbreviate 

r{E,M) = mJ*EM) 

and 

^E/kM = NE/kijlM). 

Suppose we have two line bundles Al"*" and M.~, both of degree at least degE + 2g — 1, together 
with an isomorphism 

M^Homo^{M^,M+). 
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Then we can compute T{E,A4 ) and T{E,M.~^) using the short exact sequences 

— ^ r{x,M^{-E)) — ^ r{x,M^) — ^ r{E,M^) o, 

and we can express ^E/k via the isomorphism 

NE/kM ^ Homfc (detfe T{E, M'), detfc T{E, M+)) (2.8) 

deduced from (2.5). We fix fc-bases of r(£, A^~) and r{E,M~^). From the induced trivialisations 

of detfe r(£', A^='=) wc then obtain a trivialisation of N^j/^A^. 

Now consider three line bundles M, N and V, together with an isomorphism 

By the linearity of the norm functor, fx induces an isomorphism 

^E/kM ®k Njs/fcAA ^ ^E/kV. (2.9) 
As above, we choose isomorphisms 

on X, where M^, and are line bundles of degree at least deg£^ + 2g' + 1. We fix bases of 
the six /c-vector spaces 

r{E,M^), r{E,Af^), r{E,v^). 

Then (2.8) gives trivialisations of N^/fcA^, ^E/k-^ and ^E/k'P- Under these trivialisations, the 
isomorphism (2.9) equals multiplication by some clement X € . 

To find an expression for A, we choose generators and of the O^-modules T{E,M'^) 
and r(i?, A/"^). To these we associate the isomorphisms 

aM--'i'{E,M-) ^ T{E,M+) 

and 

aM:T{E,M-)^T{E,M-) 

sending aj^ to aj^ and aj^ to a^, respectively. Viewing ax and a_\f as generators of T{E,A4) 
and T{E,J\f) and applying the isomorphism 

/x: r{E, M) ®riE,o.) T{E,^^) ^ T{E, V) 

to aM <8 oij^f we obtain a generator of T{E,V), which we can identify with an isomorphism 

av.T{E,V-) ^ T{E,V+). 

Wc define 5m as the determinant of the matrix of with respect to the chosen bases. Under 
the given trivialisations of ^E/k^^ the clement N^^Q!j\4 corresponds to 5m- The same goes for 

N and v. On the other hand, the isomorphism (2.9) maps N^^a_A4 ® ^s/k'^^ ^E/k'^'P- ^® 
conclude that we can express A as 

Let us turn the above discussion into an algorithm. Let X be a projective curve over k, 
embedded via a line bundle £, and let E be an effective divisor on X. For simplicity, we restrict 
to the case where 

degE < deg£. 
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We consider line bundles 

M = C^\-Di) and Af = C^^{-D2), 
where i and j are non-negative integers and Di and D2 are effective divisors such that 

deg Di = i deg £ and deg D2 = j deg £. 

We take 

M- =Af- = r- = £®^ 

and 

Algorithm 2.9 (Linearity of the norm functor). Let X be a projective curve over a field k, and 
let E, Di and D2 be effective divisors on X such that 

deg E = deg £, deg Di < i deg £, deg £>2 < i deg £. 

Fix bases of the four fc-vector spaces 

T{E,C®^^+'^\-D2)), r{E,C^^'+^+^\-Di- D2}}. 

and consider the corresponding trivialisations 

tvk ^ Ns/fe£®'(-Di), t2: k ^ NE/kJC^^{-D2), 
tr.k^NE/kC^'+^{-D,-D2) 

defined by (2.8). Given the fc-algebra Sx'^-'^^\ bases for the fc- vector spaces 

r(x,£®2), r(x,£®(^+2)), 
r(x,£®o+2)(-D2)), r(x,£®(*+^+2)(-£»i -£)2)) 

and the quotient maps 

r(x,£®2) ^r(^,£®2), 
r(x,£®('+2)(-£)i)) r(^,£®'+2(-Di)), 
r(x,£®o+2)(-£)2)) ^ r(^,£®^+2(-£)2)), 
r(x,£®('+^+2)(-£)i - D2)) ^ r(£;,£®'+2(-Di)) 

as matrices with respect to the given bases, this algorithm outputs the element X G k^ such that 
the diagram 

k NB/fc£®n-i?i)®fcNB/fc£®^(-i52) 
k ^ NB/fe£®('+^-)(-£>i-Z)2) 



is commutative. 
1. Compute the spaces 



r(i;,£®(*+4)(-i?i)) and T{E,C^^'+^+^\-Di- D2)) 
16 



and the multiplication maps 

r(s,£®2) X r(s,£^(*+2)(-Di)) -> r(s,/:^(*+4)(-Di)), 
r(i;,£®(*+2)(-i:)i)) x t{e,c'^'^^+'^^~D2)) ^ t{e,c®^'+^+^\-Di - D2)), 
r{E, £®2) X r(^, £®(*+^+2) _ ^ £»(*+j+4) _ 

2. Apply the probabilistic method described in § 1.2 to the bilinear maps just computed to find 
generators j3o, Pi and /^z of the free r(i;, 0£;)-modules r{E,C^'^), r(£, £®(*+2) (-Di)) and 
r(i;,£®(J+2)(_£)2)) of rank 1. 

(Note that we do not need the fc-algcbra structure on r{E, C^"^). If k is small, we may have 
to extend the base field, but it is easy to see that this is not a problem.) 

3. Compute the matrix (with respect to the given bases) of the isomorphism ai defined by the 
commutative diagram 

r{E,c®^) ^ r(£,£®('+2)(-£)i)) 

II ~i-/3o 

r(£;,£®2) ^ r(E,£®('+4)(-£)i)), 

of the isomorphism a2 defined by the similar diagram for C®^{—D2) instead of £®*(— Di) and 
of the isomorphism defined by the commutative diagram 

T{E, £«2) _^ Y{E, £®(»+J+2) {-Di - D2)) 

r(i;,£®('+2)(-£)i)) ^ r(i;,£®(^+J+4)(-Di-D2)). 

4. Compute the elements di , 82 and 63 oi as the determinants of the matrices of ai , a2 and 
computed in the previous step. 

5. Output the element -;r-^ & k^ . 

01O2 

Analysis. We note that /3o plays the role of a^, ajj- and in the notation of the discussion 
preceding the algorithm, and that /3i, /?2 and ^1^2/1^0 play the roles of a]^, a'^ and a^. This 
means that ai, a2 and as are equal to ax, a^^ and ap. It now follows from (2.10) that the 
output of the algorithm is indeed equal to A. It is clear that the algorithm runs in (probabilistic) 
polynomial time in deg£, i and j, measured in field operations in fc. ❖ 

2.8. Computing in the Picard group of a curve 

We now explain how to compute with elements in the Picard group of a curve X, using the 
operations on divisors described in the first part of this section. We only consider the group Pic° X 
of isomorphism classes of line bundles of degree 0. This group can be identified in a canonical way 
with a subgroup of rational points of the Jacobian variety of X. If X has a rational point, then 
this subgroup consists of all the rational points of the Jacobian. 

We will only describe Khuri-Makdisi's medium model of Pic° X relative to a fixed line bundle £ 
of degree 

deg£>23 + l, 

but at the same time 

deg£<c(5 + l) 
for some constant c > 1, as described in Khuri-Makdisi [12, § 5]. 

Remark. Khuri-Makdisi starts with a divisor Dq whose degree satisfies the above inequalities and 
takes £ = Ox (-Do). This is of course only a matter of language. Another difference in notation 
is that Khuri-Makdisi writes £0 for £ and uses the notation £ for £^^ (in the medium model) 
or £^^ (in the large and small models, which we do not describe here). 
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We represent elements of Pic X by effective divisors of degree deg£ as follows: the isomor- 
phism class of a line bundle A4 of degree is represented by the divisor of some global section of 
the line bundle Hom{A4, C) of degree deg£, i.e. by any effective divisor D such that 

M=C{-D). 

It follows from the inequality deg£ > 2g that we can represent any effective divisor D of de- 
gree deg£ by the subspace r(X, £®^(— £))) of codimension deg£ in T{X,C'^'^). 
There are a few basic operations: 

• membership test: given a subspace of codimension deg£ in r(X, £'^^), decide whether it 
represents an element of Pic° X, i.e. whether it is of the form T{X, £®^(— I?)) for an effective 
divisor D of degree deg£. 

• zero test: given a subspace of codimension deg£ in r(X, £®^), decide whether it represents 
the zero element of Pic*^ X. 

• zero element: output a subspace of codimension deg£ in r(X, £®^) representing the element 

e Pic° X. 

• addflip: given two subspaces of r(X, £®^) representing elements x,y G Pic^ X, compute a 
subspace of T{X, £®^) representing the element —x — y. 

From the "addflip" operation, one immediately gets negation (— .x = —x — 0), addition (x + y = 
— {—X — y)) and subtraction {x — y = —{—x) — y). Clearly, one can test whether two elements x 
and y are equal by computing x — y and testing whether the result equals zero. 

Remark. With regard to actual implementations of the above algorithms, we note that some of 
the operations can be implemented in a more efficient way than by composing the basic operations 
just described. We refer to [13] for details. 

By Khuri-Makdisi's results in [13], the above operations can be implemented using randomised 
algorithms with expected running time of 0{g^^'^) for any e > 0, measured in operations in the 
field k. This can be improved to 0{g'^^^''^) by means of fast linear algebra algorithms. (The 
exponent 2.376 is an upper bound for the complexity of matrix multiplication.) 

Multiplication by an integer n can be done efficiently by means of an addition chain for n. 
This is a sequence of positive integers (ai, a2, . . . , am) with ai = 1 and am = n such that for each 
/ > 1 there exist i{l) and in {1, 2, ...,/ — 1} such that a; = aj(() +aj(iy We consider the indices 
i{l) and as given together with the addition chain. The integer m is called the length of the 
addition chain. A more general and often slightly more efficient method of multiplying by n is 
to use an addition- subtraction chain, where ai is allowed to be either a,j(;) + aj(;) or 0^-^ — aj(iy 
However, since the "addflip" operation in our set-up takes less time than the addition or subtraction 
algorithms, the most worthwhile option is to use an anti-addition chain, which is a sequence of 
(not necessarily positive) integers (ao, ai, . . . , Om) such that 

r if / = 0; 

ai = ll ifZ = l; 

[ - aj(i) if 2 < / < m 

and a„i = n: the i{l) and are given elements of {0, 1, . . . , Z — 1} for 2 < Z < m. 

It is well known that for every positive integer n there exists an addition chain whose length 
is bounded by a constant times log n. Moreover, there are algorithms (such as the binary method 
used for repeated squaring) to find such an addition chain in time 0((logn)^). We leave it to the 
reader to write down a similar algorithm for finding an anti-addition chain. 

For later use, we give versions of the "zero test" and "addflip" algorithms that are identical 
to those given by Khuri-Makdisi, cixcept that some extra information computed in the course of 
the algorithm is part of the output. 

Algorithm 2.10 (Zero test). Let X be a projective curve over a field k, and let x be an element 
of Fic^ X. Given the /c-algebra S^^ and a subspace r(£|§^(— £))) of r(£|^^) representing x, this 
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algorithm outputs false ii x ^ (i.e. if the hne bundle Cx{~D) is non-trivial). If Cx{—D) is 
trivial, the algorithm outputs a pair (true, s), where s is a global section of Cx with divisor D. 

1. Compute the space 

r(£x(-Z))) = {se V{Cx) I sT{Cx) C T{X,Cf{-D))]. 

(The truth of this equality follows from Lemma 2.2.) 

2. If T{Cx{—D)) = 0, output false. Otherwise, output (true, s), where s is any non-zero 
element of the one-dimensional A;- vector space T{Cx{—D)). 

Algorithm 2.11 (AddHip). Let X be a projective curve over a field k, and let x and y be elements 
of Pic"X. Given the A:-algebra S^^ and subspaces r{C%^{-D)) and r{£f{-E)) of T{£%^) 
representing x and y, this algorithm outputs a subspace r(£^^(— F)) representing —x — y, as well 
as a global section s of such that 

dWs = D + E + F. 

1. Compute r(£®^(-£) - E)) as the product ofT{Cf{-D)) and T{£.%^{-E)) (see Lemma 2.1). 

2. Compute the space 

T{Cfi-D - E)) = {s e r(£f ) I sT(Cx) c r(£f (-1? - iJ))} 
(see Lemma 2.2). 

3. Choose any non-zero s e T(Cx^{—D — E)). Let F denote the divisor of s as a global section 

of Cf{-D-E). 

4. Compute the space 

T{Cf'{-D -E-F)) = sr(£|2). 

5. Compute the space 

r(£|^(-F)) = {tev{cf) I 

tT{Cf{-D - E)) C T{Cf{-D -E-F))} 

(see again Lemma 2.2). 

6. Output the space T{C^{-F)) and the section s e r(£|^). 

2.9. Normalised representatives of elements of the Piccird group 

Let X be a projective curve over a field fc, and let O be a fc-rational point of X. Let x be an 
element of Pic° X, and let be a line bundle representing x. Let r^^'^ be the greatest integer r 
such that 

T{nom{M,C.x{-rO)))i^Q. 

Then T{'Homox (-^ > ^^x {—I'x'^ '^O))) is one-dimensional, so there exists a unique effective divisor R 
such that 

^£x(-i?-rf-^'°0). 
We define the {Cx,0) -normalised representative of x as the effective divisor 

R^^''^ = R + r^'''°0 

of degree deg Cx ; it is a canonically defined divisor (depending on O) with the property that x is 
represented by £x(— -Rf^''^)• 
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Remark. Since for any line bundle M we have 



degAf >g^ TiAf) 7^ 

and 

degAA < =^ T{J\f) = 0, 

the integer r^^ ■'^ satisfies 

deg£x -gx< r^""^ < degCx- 

Algorithm 2.12 (Normalised representative) . Let X be a projective curve over a field k, and let O 
be a fc-rational point of X. Let x be an element of Pic° X, and let R^^''~' be the {Cx, 0)-nornialised 
representative of a;. Given the fc-algebra S^^\ the space r(£®^(— O)) and a subspace of r(£^^) rep- 
resenting X, this algorithm outputs the integer r^^'*^ and the subspace r(£®^(— i?^^'*^)) of r(£^^). 

1. Using the negation algorithm, find a subspace r(£^^ (—£))) of r(£^^) representing —x. Put 
r = degCx- 

2. Compute T{Cf{-rO)), then compute T{C%'^{-D - rO)) as the product of T{£f{-D)) 
and r(£^^(— rO)), and then compute 

r{Cf{-D - rO)) = {te T{Cf) I tT{Cf) C r(£|4(-I? - rO))}. 

3. If T{C%^{-D - rO)) = 0, decrease r by 1 and go to step 2. 

4. Let s be a non-zero element of r(£®^(— f — rO)). Compute 

r(£f(-D-i?f-'0)) = 5r(£f), 

and then compute 

r(£f (-iif-O)) = e r(£f ) | ir(£f (-d)) c r(£f (-d - 

5. Output rf^'O = r and r(£|2(-i?f ^'O)). 

Analysis. It follows from the definition of -Rf -^'^ that this algorithm is correct. It is straightforward 
to check that its running time, measured in operations in k, is polynomial in deg£x. o 

2.10. Descent of elements of the Picard group 

Now let k' be a finite extension of k, and write 

X' = X xspecfe Spec A;'. 

Consider the natural inclusion map 

i:Pic°X ^ Pic°X'. 

Let x' be an element of Pic° X'. We can use normalised representatives to decide whether x' lies 
in the image of i, and if so, to find the unique element x e Pic° X such that x' = i{x). 

Algorithm 2.13 (Descent). Let X be a projcictive curve over a field k, and let O be a fc-rational 
point of X. Let k' be a finite extension of k, write 

X' = X Xgpecfe Specfc', 

and let Cx' denote the pull-back of the line bundle Cx to X'. Let x' be an element of Pic° X'. 
Given the fc-algebra the spaces 

r(X,£|2 (-rO)) for deg£x - 9x < d < degCx 
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and a subspace of r(X', representing x\ this algorithm outputs false if x' is in not the image 
of the canonical map 

i: Pic° X -S- Pic° X'. 

Otherwise, the algorithm outputs (true, r(X, £)))), where r(X, £))) represents the 
unique clement x € Pic" X such that i{x) = x' . 

1. Compute the (£x , 0)-normalised representative -Rf/^'*^ of x' . 

2. Compute the A;- vector space 

V = r(x', c%^i-R.)) n T{x, cf). 

3. If the codimension of V in r(X, £^^) is less that degCx, output false; otherwise, output 
(true,!/). 

Analysis. In step 3, we check whether R^^''~^ is defined over k or, equivalently, whether x is defined 
over k. If this is the case, the space V equals r(X, £®^(— iJ^,)), where x is the unique element 
of Pic*^ X such that i{x) = x'. This shows that the algorithm is correct; its running time, measured 
in operations in k and k', is clearly polynomial in degCx- o 

2.11. Piccird and Albanese maps 

A finite morphism 

f:X^Y 

between complete, smooth, geometrically connected curves over a field k induces two group homo- 
morphisms 

Pic/:Pic°r ^ Pic°X 

and 

Alb/:Pic°X ^ Pic^F, 

called the Picard and Albanese maps, respectively. In terms of line bundles, they can be described 
as follows. The Picard map sends the class of a line bundle on F to the class of the line 
bundle f*J\f on X, and the Albanese map sends the class of a line bundle on X to the class of 
the line bundle N/Al on Y. 

Alternatively, these maps can be described in terms of divisor classes as follows. The group 
homomorphisms 

/* : Div° X Div° Y and /* : Div° Y -S> Div° X 

between the groups of divisors of degree on X and Y respect the relation of linear equivalence 
on both sides. The Picard map sends the class of a divisor EonY to the class of the divisor f*E 
on X, and the Albanese map sends the class of a divisor £) on X to the class of the divisor /*D 
on Y. 

Let us now assume that f: X Y is a. finite morphism of projective curves in the sense of § 2.5. 
The following algorithms can be used to compute the maps Pic / and Alb /. The algorithm for 
the Albanese map is mostly a wax nose, since we only reduce the problem to a different one, 
namely that of computing traces in Picard groups with respect to finite extensions of the base 
field. However, this is a problem that can be solved at least for finite fields, as we will see in § 3.4. 

Algorithm 2.14 (Picard map). Let /:X — F be a finite morphism of projective curves, and let 
y be an element of Pic° Y. Given the A;-algebras S^^ and Sy K the homomorphism f^: Sy ^ — > S^^ 
and a subspace T{Y,Cy'^{—E)) of T{Y,Cy^) representing y, this algorithm outputs a subspace 
ofT{X,CT) representing (Pic/)(y) G Pic"X. 
1. Compute the subspace r{X, C^^{—D)) for the divisor D = f*E using Algorithm 2.6 (taking 
i = j = 2 in the notation of that algorithm), and output the result. 

Analysis. Since (Pic/)(y) is represented by the line bundle £x{—f*D), the correctness of this 
algorithm follows from that of Algorithm 2.6. Furthermore, the running time of Algorithm 2.6, 
measured in operations in fc, is polynomial in degCx for fixed i and j; therefore, the running time 
of this algorithm is also polynomial in deg Cx • o 
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Algorithm 2.15 (Albanese map). Let f: X ^ Y he & finite morphism of projective curves over 
a field k. Let x be an element of Pic°X, and let O be a A;-rational point of Y. Suppose that we 
have a (probabilistic) algorithm to compute the primary decomposition of a finite commutative 
fc-algcbra A with (expected) running time polynomial in [A : k], measured in operations in k. 
Suppose furthermore that we can compute the trace of an element y G Pic^ {Yi~i) over k for a 
finite extension k' of k in time polynomial in deg£y and [k' : k], measured in operations in k. 
Given the fc-algebras and s'^\ the homomorphism /#: S^^ the space T{Y, Cf^{-0)) 

and a subspace r(X, £^^(— £))) of r(y, £®^) representing x, this algorithm outputs a subspace 
ofT{Y,jCT) representing (Alb/)(a;) e Pic°y. 

1. Compute T{X,jCTi-D)) as the product of T{X,jCT) and T{X,jC%^{-D)). 

2. Find the decomposition of D as a linear combination '^pUpP of prime divisors using Algo- 
rithm 2.4. 

3. For each P occurring in the support of D: 

4. Compute the base changes X^p^ and Y^py 

5. Find the primary decomposition of the divisor P^ p) on Xk(^p) , and pick a rational point P' 
in it. 

6. Compute the space r(yfc(p), £^^(— /(P') — (deg£i' — 1)0)); this represents an element 

yp. ePic°(rfe(p)). 

7. Compute the element yp = tr^pykVP' of Pic° Yfe(p). Apply Algorithm 2.13 to get a 
representation for yp as an element of Pic" Y. 

8. Compute the element y ~ Y^pnpyp of Pic*'(F). 

9. Output the element y — (deg /) (deg £1^ — l)yo of Pic° F, where yo is the element of Pic°F 
represented by r(y,£®2(_(deg£y)0)). 

Analysis. The definition of yp^i implies that 

yp' = [Ui-fiP') - {degCy - 1)0)], 

the definition of yp implies that 

yp = [£?['=(^)^'=1(-/.P - [k{P) : fc](deg£y - 1)0)] 

and the definition of y implies that 

y = [£f - (deg£x)(deg£r - 1)0)] 
= [Cp^f{-f.D)] + (deg/)(deg£y - l)[£r(-(deg£y)0)]. 
Together with the definition of yo, this shows that 

y - (deg/)(deg£r - l)yo = [Cp^'i-f^D)] 

and therefore that the output of the algorithm is indeed (Alb/) (a;). Our computational assump- 
tions imply that the running time is polynomial in deg£x, measured in field operations in fc. <> 

Finally we consider correspondences, i.e. diagrams of the form 

X 

V \^ 

Y Z, 

where X, Y and Z are proper, smooth, geometrically connected curves over a field k. Such a 
correspondence induces group homomorphisms 

Alb g o Pic /: Pic° Y -> Pic° Z 

and 

Alb / o Pic g: Pic° Z Pic° Y. 
Clearly, these can be computed by composing the two algorithms described above. 
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3. Curves over finite fields 

In this section we give algorithms for computing with divisors on a curve over a finite field. After 
some preliminaries, we show how to compute the Probenius map on divisors and how to choose 
uniformly random divisors of a given degree. Then we show how to do various operations in the 
Picard group of a curve over a finite field, such as choosing random elements, computing the Frey- 
Riick pairing and finding a basis of the /-torsion for a prime number I. Many of the results in this 
section, especially those in §3.7, §3.8 and §3.9, are variants of work of Couveigncs [4]. 

From now on, we switch from measuring the running time of algorithms in field operations to 
measuring it in bit operations. The usual field operations in a finite field k can be done in time 
polynomial in log 

Let fc be a finite field of cardinality q, and let X be a complete, smooth, geometrically connected 
curve of genus g over k. The zeta function of X is the power series in Z[[t]] defined by 

oo 

Zx= ^'^"^'^ = 

DeEffX n=0 



PePDivX d=l 

Here Eff X and PDivX are the sets of effective divisors and prime divisors on X, respectively; a 
superscript denotes the subset of divisors of the indicated degree. The following properties of the 
zeta function are well known. 

(1) The power series Zx can be written as a rational function 

where Lx S Z[t] is a polynomial of the form 

Lx = l + ait + --- + a2g-it^'-^ + qH'^a^ 

(2) The factorisation of Lx over the complex numbers has the form 

Lx = - "i*)' (3-2) 

where each aj has absolute value y^. 

(3) The polynomial Lx satisfies the functional equation 

qH^aLx{llqt) = Lx{t). (3.3) 

From the definition of Zx and from (3.1) it is clear how one can compute the number of 
effective divisors of a given degree on X starting from the polynomial Lx- We now show how to 
extract the number of prime divisors of a given degree from Lx- Taking logarithmic derivatives 
in the definition of Zjc and the expression (3.1), we obtain 



|k = i y . ^PDiv'^xV" = 1^ , 

Zx i^l^ i Lx l-t l-qt 

n=l \ d\n / 



(3.4) 



Our knowledge of Lx enables us to compute the coefficients of this power series. We can then com- 
pute # PDiv'' X using the Mobius inversion formula. More explicitly, taking logarithmic derivatives 
in the factorisation (3.2), we obtain Newton's identity 

oo 

L'x/Lx = - ^ Sji+it", 

n=0 
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where the s„ are the power sums 

sn = l^<ez (nez). 

i=l 

Expanding the right-hand side of (3.4) in a power series and comparing coefficients, we get 

^d#PDiv'^X = l + g"-s„, 

d\n 

or equivalently, by the Mobius inversion formula, 

n#PDiv"X = ^M(n/d)(l + q'' - Sd), 

d\n 

where is the usual Mobius function. Note that this simphfies to 

^^°^^"^ = {iEl,:Mn/ci)(.^-..) '^:>2. (3-5) 

Let J = Pic^/j. denote the Jacobian variety of X. From the fact that the Brauer group of k 
vanishes it follows that the canonical inclusion 

Pic° X J{k) 

is an equality. In other words, every rational point of J can be identified with a linear equivalence 
class of fc-rational divisors of degree 0. 

We note that from the functional equation (3.3) one can deduce that 

#Eff"X= J^"~^ £x(l) ioin>2g, 

which in turn is equivalent to "class number formula" 

#J(fc) = #Pic°X = Lx(l). (3.6) 

3.1. The Probenius map 

Let be a finite field of cardinality q, and let X be a projective curve over k in the sense of § 2.1. We 
write d ~ dcg>Cx- Let Sym'' X denote the d-th symmetric power of X over fc, and let Gr'^ r(X, £^^) 
denote the Grassmann variety of linear subspaces of codimension d in the fc- vector space r(X, £^^). 
Then we have a commutative diagram 

Gr<'r(X,£®2) ^ Sym'^X 

Gv'^T{X,jCT) ^ Sym'^X 

of varieties over k, where the vertical arrows are the g'-power Frobenius morphisms. Now let k' be 
a finite extension of k, write 

X' = X xspecfe Specfc', 

and let D be an effective divisor on X'. The commutativity of the above diagram shows that the 
divisor Fq(D) on X' can be computed using the following algorithm. 
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Algorithm 3.1 (Frobenius map on divisors). Let X be a projective curve over a finite field k oi q 
elements, and let Fg be the Frobenius map on the set of divisors on X. Let k' be a finite extension 
of k. Let X' = X Xspecft Spec/c', and let Cx' be the pull-back of the line bundle Cx to X' . Let i 
be a positive integer, and let D be an effective divisor on X'. Given the matrix M of the inclusion 
map 

T{X',jCf,{-D)) T{X',jCf,) 

with respect to any fc'-basis of the left-hand side and the fc'-basis induced from any fc-basis 
of r(X, on the right-hand side, this algorithm outputs the analogous matrix for the inclusion 
map 

TiX',Cf,{-F,{D))) r(X',£|?). 

1. Apply the Frobenius automorphism of k' over k to the coefficients of the matrix M, and output 
the result. 

Analysis. It follows from the discussion preceding the algorithm that the output is indeed equal 
to r(X', Fg(D))). The algorithm takes 0{{degCx)^) computations of a q-th power of an 

element in A:'. o 

3.2. Choosing random prime divisors 

Let X be a projective curve (in the sense of § 2.1) over a finite field. Our next goal is to generate 
random effective divisors of given degree on X. We start with an algorithm to generate random 
prime divisors. For this we do not yet need to know the zeta function of X, although we use its 
properties in the analysis of the running time of the algorithm. 

Algorithm 3.2 (Random prime divisor). Let X be a projective curve over a finite field k. Let d 
and i be positive integers such that 

d < idegCx - '^9x- 

Given d, i and the fc-algebra S^^~^^^ , this algorithm outputs a uniformly distributed prime divisor P 
of degree d on X, represented as the subspace r{Cf{-P)) of r(£|*), provided PDiv'^X is non- 
empty. (If PDiv'' X = 9, the algorithm does not terminate.) 

1. Choose a non-zero clement ,s G r(£®') uniformly randomly, and let D denote the divisor of s. 
(In other words, choose a random hypersurface section of degree i oi X.) 

2. Compute the set Irr'^D of (reduced) irreducible components of D of degree d over k using 
Algorithm 2.4. 

3. With probability dig ' output a uniformly random element P G Irr** D and stop. 

4. Go to step 1. 

Analysis. Let q denote the cardinality of k, and let H denote the set of divisors D that are divisors 
of non-zero global sections of By the Riemann-Roch formula, the cardinality of H is 

#H='^ . 

q-1 

When the algorithm finishes, the probability p{D, P) that a specific pair {D, P) has been chosen is 

' ^ #H[{idegjr.)/d\#lvrD 

9-1 1 

qi-g+idegC _ I l(idcgC)/d\ ' 

For all prime divisors P of degree d, the number oi D ^ H for which P is in the support of D is 
equal to 

ql-g+idcgC-d _ 



#{D|Pesupp£»} 



1 
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so the probability p{P) that a given P is chosen equals 



p{P) = i^{D\PesnppD}.p{D,P) 

ql-g+idcgC-d _ ^ ^ 

This is independent of P and therefore shows that when the algorithm finishes, the chosen element 
P G PDiv'' X is uniformly distributed. Furthermore, the probability p that the algorithm finishes 
in a given iteration is 

^ gl-S+»deg£-d _ ^ 

p = #PDiv X- ^i_g+ideg£_i L(ideg£)/dJ 
_ #F'Div'^ X - q^- 1 

~ gl-S+»deg£_l [(ideg£)/dj 

- g'' ^ ^ 'idcgC 

We claim that the expected running time is polynomial in deg£, i and logg, under the assumption 
that #PDiv'^X 7^ 0. we distinguish two cases: 

qd/2 ^ 2a°{d){2gx + 1) and q'^^^ > 2a°{d){2gx + 1), 
where cr^{d) denotes the number of positive divisors of d. In the first case, we see that 

p > {2a\d){2g^ + l)f{l - q-^-9.)-J—, 

which shows that 1/p is bounded by a polynomial in deg£ and i, In the second case, we deduce 
from (3.5) the following estimate for #PDiv'^X: 



\d# PDiv"^ X-q'^\<J2'l" + J2\se 



e\d e\d 



so that #PDiv'^X > q'^/{2d), and hence 



<{a\d)-l)q'''+a\d).2g^q'l\ 

< C7\2){2g^ + 
1 



P> 



2i deg £ 



In both cases we conclude that the expected running time is bounded by a polynomial in deg C, i 
and log q. o 

3.3. Choosing random divisors 

As before, let X be a projective curve over a finite field k. From now on we assume that we know 
the zeta function oi X, or equivalently the polynomial Lx- 

Below we will give an algorithm for generating uniformly random effective divisors of a given 
degree on the curve X. These divisors will be built up from prime divisors, so it will be useful to 
speak of the decomposition type of an effective divisor D. This is the sequence of integers {h,l2, ■ ■ ■), 
where Id is the number of prime divisors of degree d (counted with multiplicities) occurring in D. 

One of the ingredients is the concept of m-smooth divisors and decomposition types. An 
TO-smooth divisor is a linear combination of prime divisors whose degrees are at most m, and an 
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m-smooth decomposition type of degree n is an m-tuple {h,. . . , Im) such that J2^=i ^dd = n. For 
every m-smooth effective divisor D of degree n, we may view the decomposition type of D as an 
m-smooth decomposition type, since only its first m coefRents are non-zero. 

The algorithm that wc will describe takes as input the degree n as well as a positive integer m, 
and outputs a uniformly random m-smooth effective divisor of degree n. Clearly, all effective 
divisors of degree n are n-smooth, so that the algorithm can be used with m = n to produce 
uniformly random effective divisors of degree n. 

The first step is to generate the decomposition type of a uniformly random m-smooth effective 
divisor of degree n. The method we use for doing this is described by Diem in [5, page 150] and 
in [6, .] Dicm's algorithm works by recursion on m,. 

For every m > 1, we write Eff"^ X for the set of m-smooth effective divisors D of degree n. 
Furthermore, for I > and m > 1 we write Eff'j^ X for the set of divisors of degree Im that 
are linear combinations of prime divisors of degree m. We note that the set Eff X can be 
decomposed as 

' Eff" 1 X if m = 1; 

Eff^™ X = j jj ^^^^^^ ^ ^ WiXl"!^^ X if m > 2. ^^•'^^ 

. 1=0 

The cardinality of Eff^ X equals the number of ways to choose I elements from the set PDiv"* X 
with repeats. For this we have the well-known formula 

#EftS„X^(#™'7-' + ')^ (3^S) 

Furthermore, from the description (3.7) of Eff <^ X we see that 

#Eff^„X= < 



{#WiZrX ifm=l; 

H^'e-ii^Zi^ -^^^^Tr^-i^ ifm>2. ^ ' ' 

1=0 



From these relations we can compute # Eff " „ X recursively, starting from the numbers # PDiv** X 
for 1 < d < m. An alternative way to describe these recurrence relations is to use generating 
functions; see Diem [5, page 149] or [6, Lemma 3.14]. 

In order to generate decomposition types of uniformly random m-smooth divisors of degree n, 
we define a probability distribution /ij^ on the set of m-smooth decomposition types of degree n 
by defining ...,1m) as the probability that a uniformly randomly chosen effective m-smooth 

divisor of degree n has decomposition type (Zi, . . . , The algorithm now works as follows. We 
first select an integer Im G {0, 1, . . . , [n/mj } — the number of prime divisors of degree m, (counted 
with multiplicities) occurring in the decomposition — according to the marginal distribution 1/^ of 
the m-th coordinate. We then apply the algorithm recursively with (n — Z^m, m — 1) in place 
of (n, m). 

The marginal distribution of the coordinate Im in a m-tuple (h, . . . ,lm) distributed ac- 
cording to Hm is the following. If m = 1, then li = n with probability 1. When m > 2, the 
probability that Im equals a given I e {0, 1, ... , [n/mj } is 

#Eff!™,X-#Eff"-'™ X 
<{l)= "^EffL^ (0<^<KmJ). (3.10) 

Once we have computed #Eff^„X, as weU as #Eff^ and #Eff<-'" X for < Z < [n/mj 
(using (3.5), (3.8) and (3.9)), it is straightforward to generate a random Im € {0,1,..., [n/mJ} 
distributed according to Vm. Namely, we subdivide the interval 

/ = {0,l,...,#Eff!^„X-l} 

into [n/mJ +1 intervals with < / < [n/mJ and each // having length # Eff^';„ X-# Eff^;,^'"^ X, 
we generate a uniformly random element x € I, and we select the unique I such that x ^ Ii. 
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Algorithm 3.3 (Decomposition type of a random divisor). Given the polynomial Lx for a curve X 
over a finite field and integers n > and m > 1, this algorithm outputs a random m-smooth 
decomposition type (Zi, . . . , Im) of degree n, distributed according to the distribution /ij^. 

1. If m = 1, output the 1-tuple (n) and stop. 

2. Choose a random clement G {0, 1, . • . , [n/mj } according to the distribution t'," from (3.10). 

3. Call the algorithm recursively with {n — l„im, m — 1) in place of (n, m) to obtain an {m — 1)- 
smooth decomposition type {h, . . . , Im-i) of degree n — Imm. 

4. Output the m-tuple (Zi, . . . , Im)- 

Analysis. The correctness of the algorithm follows from the above discussion. It is straightforward 
to check that it runs in time polynomial in g-^, log#A;, n and m. o 

The preceding algorithm reduces our problem to generating random linear combinations of / 
prime divisors of a given degree d. In other words, we have to pick a random multiset of cardinality I 
from PDiv"^ X. This can be done using the following algoritm. I thank Glaus Diem for pointing 
out this method to me, which is much simpler than the one I had in mind originally. 

Algorithm 3.4 (Random multiset). Let S he a finite non-empty set of known cardinality. Suppose 
we have algorithms to pick uniformly random elements of S and to decide whether two such 
elements are equal. Given a non- negative integer /, this algorithm outputs a uniformly random 
multiset of I elements from S. 

1. Generate a uniformly random subset {xi,. . . , xi} of {1,2, ... ,1 + #5 — 1}, with xi < X2 < 
... <Xi. 

2. Define a multiset (yi,...,yi) of I elements from {0,1,..., #5 — 1} by t/j = Xi — i; then 

yi < y2 < ■ ■ ■ < yi- 

3. For each i with 1 < i < I, let Ui be the number of elements of {0, 1, ... , #5 — 1} that occur 
with multiplicity i in (yi, . . . ,yi). 

4. Generate a uniformly random sequence 

Si,S2, . . . , Sjj^, 

2 2 2 
Si, 82, ■ ■ ■ , S(j2' 



*1> *2) • • • ) *ai 

of ai + a2 H + di distinct elements of S. 

5. Output the multiset consisting of the elements of S, where occurs with multiplicity j. 

Analysis. By construction, the multiset (j/i, . . . , yi) of I elements from {0, 1, . . . , #5' — 1} is uni- 
formly random, so the "multiplicity vector" (ai, . . . , a;) is the same as that of a uniformly random 
multiset of I elements from S. The multiset generated in the last step is uniformly random among 
the multisets with this "multiplicity vector". This implies that the result is a uniformly random 
multiset of I elements from S, as required. o 

Combining Algorithms 3.2, 3.3 and 3.4, wc obtain the following algorithm to generate a 
uniformly random effective divisor of a given degree. 

Algorithm 3.5 (Random divisor). Let X be a projective curve over a finite field k. Given positive 
integers m and i, an integer n satisfying 

< n < idegCx - 2gx, 

the graded fc-algcbra S'^*^^'' and the polynomial Lx- this algorithm outputs a uniformly random 
m-smooth effective divisor D of degree n on X, represented as the subspace r{C'^^{—D)) of r(£|^*). 

1. Generate a random m-smooth decomposition type (h, . . . , Im) of degree n using Algorithm 3.3. 
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2. For d = 1, . . . , m, generate a uniformly random linear combination of Id prime divisors of 
degree donX using Algorithm 3.4 (with S = PDiv'* X, and I = Id), where we use Algorithm 3.2 
to generate random elements of PDiv'' X. 

3. Compute the subspacc T{£x{—D)) for the divisor D = Di + • • • + Dm using the addition 
algorithm described in §2.2, and output r{Cx(—D)). 

Analysis. It follows from the above discussion that the algorithm outputs a uniformly random 
m-smooth divisor of degree n on X. The running time is clearly polynomial in m, n, i and deg jCx 
(measured in field operations in fc). o 

Remark. In practice, the following method for picking a. random cifFective divisor of degree n is 
faster, but does not give a uniformly distributed output. We first choose a uniformly random 
non-zero section s of T{X, £®*), where i is a non-negative integer such that 

ideg£ — n > 2^ -h 1. 

Then if the set of effective divisors D of degree n with D < div s is non-empty, we pick a uniformly 
random element from it; otherwise we keep going with a different section s. 

3.4. The Frobenius endomorphism of the Jacobian 

As before, let A: be a finite field of cardinality q, and let X be a proper, smooth and geometrically 
connected curve over k. Let J be the Jacobian variety of X, and let Fg denote the Frobenius 
endomorphism of J; is an isogeny of degree q. The Rosati dual of F^ is called the Verschiebung 
and denoted by Verg. The Albanese and Picard maps associated to the Frobenius morphism on X 
are the endomorphisms Fg and Ver^ of J, respectively. 
Then we have a commutative diagram 

Sym'^A: — > J 
f4 If, 
Sym'^X — ^ J 

of varieties over k, where the vertical arrows are the g-power Frobenius morphisms. This shows 
that the Frobenius endomorphism of J is equal to the endomorphism Alb(Fg) induced by the 
Frobenius map on X via Albanoso functoriality. 

Write X' = X Xspecft Spec fc'. The results of § 3.1 now imply that for any finite extension k' 
of k, the endomorphism Fg of J(fc') = Pic''(Ar') can be computed by applying Algorithm 3.1 to 
any subspace r(X', £®?(— £))) of the fc'-vector space 

r(A',£|?)-fc'®fer(A,£f ) 

where D is an effective divisor of degree deg£x on X' such that £x'{—D) represents x. 
If O is a fc-rational point of X, then we can compute the trace map 

tTk'/k--Pic° X' Pic°X 

in the following way. For x G Pic^X', we compute a subspace of r(A'',£®?) representing the 
element 

[k'-.k] 

y= ^ FgX e Pic° X'. 

i=0 

Now y is in fact the image of the element tr^j/ /kX G Pic" X under the inclusion Pic*^ X — >■ Pic° X', 
so we can apply Algorithm 2.13 to find a subspace of r(A, representing tT^' /k x. 

In §2.11, the problem of computing the Albanese map for a finite morphism of curves was 
reduced to the problem of compute trace maps. Since we can solve the latter problem, we can also 
solve the former. 
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3.5. Picking random elements of the Picard group 

The next problem we will study is that of picking uniformly random elements in the finite Abelian 
group J{k) = Pic^ X. We recall from §2.8 that in the medium model of the Picard group, the 
class of a line bundle M of degree is represented by an effective divisor D of degree deg C such 
that M = C{~D). Consider the map 

D^[C{-D)]. 

It follows from the Riemann-Roch theorem and the fact that deg C > — 1 that all fibres of this 

map have cardinality ^ . This means that to pick a uniformly random element of Pic X 

it suffices to pick a uniformly random divisor of degree deg£. A method for doing this is given by 
Algorithm 3.5, provided that wc know 

3.6. Computing Frey— Riick pairings 

Let n be a positive integer. We assume k contains a primitive n-th root of unity; this is equivalent 
to 

=g-l 

and implies that n is not divisible by the characteristic of k. 

Let X be a complete, smooth, geometrically connected curve over k, and let J be its Jacobian 
variety. The Frey-Riick pairing of order n on J{k) = Pic°X, often also referred to as the Tate- 
Lichtenbaum pairing, is the bilinear map 

[ , ]„: J[n]{k) X .J{k)/nJ{k) /^„(fc) 

defined as follows (see Frey and Riick [10] or Schaefer [16]). Let x and y be elements of J{k) such 
that nx = 0. Choose divisors D and E such that x and y are represented by the line bundles Ox {D) 
and Ox{E), respectively, and such that the supports of D and E arc disjoint. By assumption, 
there exists a rational function f on X such that nD = div(/); now [a;,t/]„ is defined as 

[x,yU = f{E)*''''/^. 

Here f{E) is defined on ^-valued points (where k is an algebraic closure of k) by function evaluation, 
and then extended to the group of divisors on X^; , by linearity in the sense that 

f{E + E') = f{E)-f{E'). 

It is known that the Prey-Riick pairing is perfect in the sense that it induces isomorphisms 

J[n](fc) ^ Rom{J{k)/nJ{k),iinik)) 

and 

J{k)/nJ{k) ^ Hom(J[n](fc),/i„(fc)) 

of Abelian groups. 

Let us now give a slightly diflFerent interpretation of f{E) that brings us in the right situation to 
compute [x, y]n. We consider an arbitrary non-zero rational function / and an arbitrary divisor E 
such that the divisors 

D = div(/) 

and E have disjoint supports. Since f{E) is by definition linear in E, it suffices to consider the 
case where E is an eflFective divisor. As in § 2.7, we write 

Je-.E^X 
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for the closed immersion of E into X, and if is a line bundle on X we abbreviate 

Since D and E have disjoint supports, we have a canonical trivialisation 

to: k ^ ^E/kOx ^ ^E/kOx{D). 
On the other hand, multiplication by / induces an isomorphism 

^E/kf-^E/kOx{D) ^ ^E/kOx = k. 

of one-dimensional /c-vector spaces. We claim that the composed isomorphism 

k^NE/kOxiD)''^^ k (3.11) 

is multiplication by f{E). This is true in the case where E is a. single point, since then N^/^. is 
(canonically isomorphic to) the identity functor. We deduce the general case from this by extending 
the base field to an algebraic closure of k and using the fact that both f{E) and the norm functor 
are linear in E. For the latter claim, we refer to Deligne [17, expose XVII, n° 6.3.27]. 

Remark. The isomorphism (3.11) could be taken as a definition of f{E) for effective divisors E. 

Lemma 3.6. Let x and y be elements of J{k) with nx = 0, let M. he a line bundle representing 
X, and let E^ and E~ be effective divisors such that Ox{E~^ — E^) represents y. (fn particular, 
M. has degree 0, and E~^ and E~ have the same degree.) For any pair of trivialisations 

t^:k^NE±/kM 

of k-vector spaces and any trivialisation 

s: Ox ^ A^®" 

of line bundles on X, the isomorphism 

is multiplication by an clement of k^ whose (^^fc^ /n)-th power equals [x, 

(We have implicitly used the isomorphisms N^ji //c(A^®") = {^e± /fe-^)®" expressing the linearity 
of ^E/kj and denoted both sides of the isomorphism by N^± /fe-M®".) 

Proof. We fix a non-zero rational section h such that the divisor 

D = divh 

is disjoint with E^. Then we have canonical trivialisations 

t±:k^NE±/kOx{D) 
as above. Composing these with the isomorphism 

NE±/kh:NE±/kOx{D) ^ NE±/kM 
induced by multiplication by h gives trivialisations 

t^ = lSlE±/khotD:k ^ NE±/kM. 
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Now consider any isomorphism 
of line bundles on X, and define 

/ 

then / can be viewed as a rational function with divisor nD. We now have commutative diagrams 

k ^ NE±/kOx{nD) ^ k 

II -i^E±/kh'' II 

As we saw above, the top row is multiplication by /{E"^); by the commutativity of the diagram, 
the same holds for the bottom row. Finally, we note that replacing by any pair of trivialisations 

t^:k^NE±/kM 

changes the isomorphism in the bottom row of the above diagram by some n-th power in fc^ . This 
implies that the isomorphism 

k ne./,m^- "^^"^ k 

equals multiplication by an element of fc^ whose (#fc/n)-th power is 

/(^±)#*V". The lemma 

follows from this by the definition of [a;,?y]„. □ 

Lemma 3.6 reduces the problem of computing the Frey-Riick pairing of order n to the follow- 
ing: given a line bundle A4 such that j\4®" is trivial, find an isomorphism 

and, given moreover an effective divisor E and a trivialisation 

t:k^ ^E/kM, 

compute the isomorphism 

75:fcAN^/,A1«"^--^"^fc. (3.12) 

We assume that the curve X is given by a projective embedding via a line bundle £ as in § 2.1. 

We will describe an algorithm to compute isomorphisms of the type if^. , based on Khuri-Makdisi's 
algorithms for computing with divisors on X. Suppose we are given a line bundle Ai of degree 
such that A^®" is trivial and an effective divisor E. For simplicity, we assume that degE' = deg£. 
As in §2.2, we represent the class of M in J(fc) by the subspacc T{X,C^^{-D)) of T{X,C'^'^), 
where D is any effective divisor of degree deg £ (not necessarily disjoint from E) such that 

M^C{-D). 

Likewise, we represent E as the subspace T{X,C®'^{-E)) of r(A,£'^^). 
First, we will describe a construction of a trivialisation 

s:Ox ^ C{-D f. 



s:Ox 

= s-"" oK^:Ox{nD) ^ Ox; 
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For this we fix an anti-addition chain (oo, oi, . . . , Um) for n, as described in § 2.8. In particular, for 
each I with 2 < Z < m we are given and in {0, 1, 1} such that 

cii = -ai(i) - aj{i)- 

We fix any non-zero global section u of £, and wc put 

Do = div(u), Di = D. 

For I = 2, 3, . . . , TO, we iteratively apply Algorithm 2.11 to -Dj(;) and Dj(jy, this gives an effective 
divisor Di of degree deg£ and a global section s; of such that the line bundle C'^^{—Di — 
Di(^l^ — Dj(^i^) is trivial and 

div(s;) = A + Aco+^jW- 
We recursively define rational sections hi, h2, . . . , hm of £®('*'~i) by 

r for I = 0; 

hi = ll for / = 1; 

i {hi{i)hj{i)Si)-^ for / = 2, 3, . . . , TO. 

Then it follows immediately that each hi has divisor ajD — Di. In particular, since C{—D)®" is 
trivial, so is C{—Dm) and Algorithm 2.10 provides us with a global section v oi C such that 

div(i') = Dm- 

The rational section 

s = hmV 

of has divisor nD and hence induces an isomorphism 

s:Ox ^ C{-D)'^''. 

Next, we assume that an effective divisor E has been given. We assume for simplicity that 
AegE = deg£. We fix bases of the following fc- vector spaces: 

riE,C®^); 

r{E,C'^^{-Di)) for 1 < ? < to; 

r(i;,£®4(-A(0 - -Dj(o)) for 2 < / < to. 

In addition, we fix a /e-basis of T{E,£'^^{—Do)) by defining it as the image of the chosen basis 
of r(£',£®^) under the multiplication map 

u:r{E,C'^^) ^TiE,C^H-Do)). 

For < Z < TO we define a trivialisation 

ti-.k^-NE/k^-Di) 

^ Homfc (detfc r(^, C^^), detfc T{E, C^^-Di))) 

using the given bases of r(jE^, and r{E, C^^i—Di)), and we define an element 7; of by 
requiring that the diagram 

k 4> N£/fe£(-A) 

be commutative. For 2 < Z < to, we define a trivalisation 

t'l-.k ^-NE/kC^\-D,^i) - D^^i)) 
by (2.8) using the given bases of T{E,C®'^) and T{E, — Dj(^i))), and a trivialisation 

by (2.8) using the given bases of r{E,C«'^) and T{E,C''^^{-Di - D,(^i) - I^j-y))). 
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Algorithm 3.7 (Compute isomorphisms of the form ifi). Let X be a projective curve over a 
field k,\et D and E be effective divisors of degree deg£ on X, and let n be a positive integer such 
that C{—D)®" is trivial. Given the fc-algebra an anti-addition chain (ao, ai, . . . , for n, 
a global section u of C, effective divisors Dq, Di, . . . , Dm, global sections S2, • • • , Sm of £^ such 

that 

Do=div{u),Di= D and div(s;) = A + A(0 + -^jCO 2 < Z < m 

and a global section v of the trivial line bundle jC{—Dm), this algorithm outputs the isomorphism 

defined by (3.12), where s is defined using the given data, and where t is chosen by the 
algorithm. (This means that the output of the algorithm is an element of fc^ defined up to n-th 
powers in .) 

1. Put 7o = 7i = 1. 

2. For Z = 2, 3, . . . , m: 

3. Using Algorithm 2.9, compute the elements a[^^ and Ap^ of fc^ such that the diagrams 

k **<'25-('^ NE/k^-D^il))^^E/k^-D,^l)) 

and 

are commutative. Define A; = A^^Aj^^ 

4. Compute ai G k^ as the determinant of the matrix of the isomorphism 

si: r{E, ^ T{E, C.^\-Di - D^^i) - Dj^i^)) 

with respect to the given bases. 

5. Put 7; = . 

o-z7j(/)7j(0 

6. Compute S G k^ as the determinant of the matrix of the isomorphism 



v:T{E,jC'')^nE,jCH-Dm)) 
with respect to the given bases. 
7. Output the element ^-r G k^. 

Analysis. The definitions of A; and cr; given in the algorithm imply that the diagram 
k *'®*'-<;if*^<" N^;/fe£(-A)®NB/fc£(-A(o)®NB/fcr(-A(o) 



A, 



4- i- 



is commutative and that the isomorphism 
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is multiplication by ai. 

The recursive definition of the hi implies that the recurrence relation between the 7; is as 
stated in the algorithm. Namely, it follows from the definition of £>o, from the special choice of 
basis of V{E,C'^^{-Dq)) and from the fact that ti=t that 

70 = 71 = 1- 

Furthermore, the definitions of hi, 7;, 7i(;), 7j(() and the properties of A; and ui that we have just 
proved imply that 

7; = ^ for Z = 2, 3, . . . , m. 

cr/7«(/)7j(0 



Finally, it follows from the definitions of s, 7^ and the isomorphism if^ from (3.12) that the 

t 



relation between v, t^, 7m and 1^^ is given by the commutativity of the diagram 



k — 



This proves that the element of fc^ output of the last step is indeed 1^^. 

It is straightforward to check that the running time of the algorithm, measured in operations 
in k, is polynomial in deg£ and m. o 

Algorithm 3.8 (Frcy-Riick pairing) . Let X be a projective curve over a finite field k, let n be an 
integer dividing #fc^ , and let x and y be elements of J(fc) with nx = 0. Given the /e-algebra S)^ 
and subspaces r(£®^(— D)) and T{Cx^{—E~)) of r(£®^) representing x and y, this algorithm 
outputs the element [.'e,?;]„ G l^.n{k). 

1. Find an anti-addition chain (ao, ai, . . . , am) for n. 

2. Choose any non-zero global section u of Cx, and let Dq denote its divisor. Compute the space 

T{Cf{-Do)) = uV{Lx). 

Write Di = D. 

3. Use Algorithm 2.11 to compute effective divisors D2, D3, . . . , of degree deg£x, repre- 
sented as the spaces r(£^^(— D;)), and non-zero global sections 52, S3, . . . , Sm of such 
that the line bundle £^'^(— — -Dj(;) — Di) is trivial and 

div(sO = A(^)+%^)+A• 
4. Using Algorithm 2.10, verify that Cx{—Dm) is trivial and find a non-zero global section v 

of Cx{-Dm). 

5. Choose a non-zero global section w of Cx, let E'^ denote its divisor, and compute 

T{Lf{-E+))=wT{Cx). 

6. Compute If^^ and lf^_ , viewed as elements of k^ , using Algorithm 3.7, where t+ and t~ are 
certain trivialisations chosen by that algorithm. 

7. Output 

Analysis. The correctness of this algorithm follows from Lemma 3.6. The running time is polyno- 
mial in deg£xj log#A; and logn. o 
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3.7. Finding relations between torsion points 

Let X be a projective curve over a finite field k, let J be its Jacobian, and let I be a prime number 
diflFerent from the cliaracteristic of k. We will show how to find all the F; -linear relations between 
given elements of J[l]{k). In particular, given a basis (&i, . . . , 6„) for a subspacc V of J[l]{k) and 
another point x G J[l]{k), this allows us to check whether x G V, and if so, express a; as a linear 
combination of (61, ... , 

Let k' be an extension of k containing a primitive l-th root of unity. It is well known that 
the problem just described can be reduced, via the Frey-Riick pairing, to the discrete logarithm 
problem in the group ni{k'). Algorithm 3.10 below makes this precise. We begin with an estimate 
for the number of elements needed to generate a finite-dimensional vector space over a finite field 
with high probability. 

Lemma 3.9. Let Y he a Unite field, and let V he an 'F-vectoi space of finite dimension d. Let a 
he a real number with < a < 1, and write 




if d = 0; 

log#F 



if d>0. 



If Vi, . . . , Vm cire uniformly random elements of V, the prohility that V is generated hy vi, . . . , 
Vm is at least a. 

Proof. Fix a basis of V. The matrix of the linear map 

pm 

m 

(ci,..., ) H> ^ CiVi 
i=l 

is a uniformly random d x m-matrix over F. The probability that it has rank d is the probability 
that its rows (which are uniformly random elements of F™) are linearly independent. This occurs 
with probability 

(#F'" - 1)(#F™ - #F) • • • (#F" - #F'*-i) 



P = 



> 



#F'^" 

(#F™ - ^F'^-^y 



= (l-(#F)-(™-'^+i))'' 

The choice of m implies that p> a. □ 

Remark. The integer m defined in Lemma 3.9 is approximately d — 1+ ]^^pj in the sense that 
for any fixed a the difference is bounded for d > 1. 

Algorithm 3.10 (Relations between torsion points). Let X be a projective curve over a finite 
field k, let J be its Jacobian, and let I be a prime number different from the characteristic of k. 
Let xi, . . . , Xn be elements of J[l]{k). Given the fc-algebra S^^ for some h > 7 and subspaces 
r(£^^(— fj)) of r(£^^) representing ajj for 1 < i < n, this algorithm outputs an F;-basis for the 
kernel of the natural map 

E:Fr^ J[/](fc) 

n 

(ci , . . . , Cy^) I ^ ^ ^ Ci^^i. 

i=l 

The algorithm depends on a parameter a G (0, 1). 

1. Generate a minimal extension k' of k such that k' contains a primitive l-th root of unity (. 
Let 

A:^,(fc')^F; 
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denote the corresponding discrete logarithm, i.e. the unique isomorphism of one-dimensional 
F;-vector spaces sending to 1. 

2. Define an integer m > by 







m : 



1 + 



log/ 



if n = 0; 
if n > 0. 



3. Choose m uniformly random elements i/i, . . . , in J{k') as described in §3.5; their images 
in J{k')/lJ{k') are again uniformly distributed. 

4. Compute the m x n-matrix 

M = {X{[yi,Xj]i)) (1 < I < m, I < j < n) 

with coefficients in ^i{k'), where the pairing [ , ]; is evaluated using Algorithm 3.8 and the 
isomorphism A is evaluated using some algorithm for computing discrete logarithms in iii{k). 

5. Compute an F;-basis {bi, . . . , b^) for the kernel of M . 

6. If ~ . . . = T,{br) = 0, output (6i, . . . , br) and stop. 

7. Go to step 3. 

Analysis. We write V for the image of S and V for the quotient of J{k')/lJ{k') by the annihilator 
of V under the pairing [ , Then we have an induced isomorphism 

V - 

Consider the map 

(ci 

Now we have a commutative diagram 

4 

V 

We identify lJ,i{k') with F; using the isomorphism A and equip Homp, (F™, /x;(fc')) with the dual 
basis of the standard basis of F[". Then the top arrow in the diagram is given by the matrix M 
defined in step 4. This means that we have an inclusion 

kerS C kerM. 



^RomF,{V',^il{k')). 
S':FJ" — ^ V 

m 
i=l 

HomF,(Fr,w(fc')) 



In step 6 we check whether this inclusion is an equality. The surjectivity of S implies that this is 
the case and only if the rightmost map in the diagram is injective, i.e. if and only if E' is surjective. 
Since dimp, V < n, this happens with probability at least a by Lemma 3.9. Therefore steps 3-7 
are executed at most 1/a times on average. This implies that (for fixed a) the algorithm runs in 
time polynomial in g^, log^fc, I and n. o 

Remarks. (1) If we know an upper bound for the dimension of the F;-vector space generated by 
the Xi, then we can use this upper bound instead of n in the expression for m in step 2. 

(2) It does not matter much what algorithm we use for computing the discrete logarithm in /U;(A;'), 
since the running time of Algorithm 3.10 is already polynomial in I. For example, we can simply 
tabulate the function A. 
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3.8. The Kummer map on a divisible group 

Let fc be a finite field of cardinality g, and let I be a prime number. Let G be an etale ^-divisible 
group over k. (The etaleness is automatic if I is different from the characteristic of k.) We denote 
by Fg! G G the (g-powcr) Frobenius endomorphism of G; this is an automorphism because of 
the assumption that G is etale. 

For any non- negative integer n such that all the points of G[Z"] are fc-rational, the Kummer 
map of order Z" on G over k is the isomorphism 

K^^'':Gik)/rGik) ^ G[V']{k) 
X I — )■ Fq{y) - y, 

where y is any point of G over an algebraic closure of k such that /"y is a lift of x to G(fc). 

Let X € be the characteristic polynomial of the Frobenius automorphism of G on (the 
Tate module of) G. Then the element t mod x of Z; [t]/ (x) is invertible. Let n be any non- negative 
integer, and let a be a positive integer such that 

r = l m{Zi[t]/{l",x)r. 

Then t° — 1 is divisible by P in Z;[f]/(x), and we let ha be the unique element of Zi[f]/(x) such 
that 

e-i = rha€Z,[t]/(x). 

By the Cayley-Hamilton theorem, Zi[t]/{x) ^cts on G with t acting as F^. The above identity 
therefore implies that 

F» - 1 = r/i„(Fg) onG. 

Let ka be an extension of k with 

[ka : k] ^ a. 

Then G[r] is defined over ka^ and we can express the Kummer map over ka in terms of the 
Frobenius endomorphism over k as 

if°/'=":G(fca)A"G(fca) G[r]{ka) 
X I > ha{Fq){x). 

In § 3.9 we are going to apply this to a certain /-divisible subgroup of the Z-power torsion of the 
Jacobian of a projective curve over k. 

3.9. Computing the /-torsion in the Picard group 

Let X be a projective curve over k, and let J be its Jacobian. Let F, denote the Frobenius 
endomorphism of J over k, and let x E Z[t] be the characteristic polynomial of Fg. 

Let / be a prime number different from the characteristic of k. We are going to apply the 
results of § 3.8 to a certain /-divisible subgroup G of the group J[l°°] of /-power torsion points of J. 
This G is defined as follows. Let f = {t — 1)^ he the largest power of t — 1 dividing x mod /, so 
that X mod / has the factorisation 

(X mod/) = /-/^ 

in coprime monic polynomials in F;[t]. Hensel's lemma implies that this factorisation can be lifted 
uniquely to a factorisation 

x = f-.f^, 

where / and /-*- are coprime monic polynomials in Z; [t] . The Chinese remainder theorem gives a 
decomposition 

Zi[t]/ix)^Zi[t]/{f)xZi[t]/{f^), (3.13) 
which in turn induces a decomposition 

J[/°°] ^ G X G-L 
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of /-divisible groups. We note that G is of rank b and that / is the characteristic polynomial of 
on G. Let a be a positive integer such that 

i« = l in(F^[^]//)^ (3.14) 

let ha be the unique element of Zi[t]/{f) such that 

t''-l = lha€Zi[t]/{f), (3.15) 

and let ka be an extension of degree a of k. All the points of G[l] are fco-rational, and the b- 
dimensional F;-vector space G[Z](A:a) is the generalised eigcnspace corresponding to the eigenvalue 1 
of Fg inside the Fj-vector space of points of J[l] over an algebraic closure of ka- In particular, we 
have the identity 

J[l]{k) ^ {x e G[l]{ka) I Fg{x)=x}. 

As explained in §3.8, the map 

G{ka)/lG{ka) ^ G[l]{ka) 

X I > ha{Fg){x) 

is well-defined and equal to the Kummer isomorphism 

K^/''^:G{ka)/lG{ka) ^ G[l]{ka) 

of order I. 

The above results give us a way of generating uniformly random elements of the F;-vector 
space G[Z](A;a). We factor ^J{ka) as 

#J(fca) = r-m„ 

with Ca > 0, nria > 1 and I \ nia- Let e be the idempotent in Z;[t]/(x) corresponding to the element 
(1,0) on the right-hand side of (3.13). Composing the maps 

J{ka) ^ J[n{ka) G{ka) G{ka)/lG{ka) ""^-^^ G[l]{ka) (3.16) 

we get a surjcctive group homomorphism from J{ka) to G[/](fca). Wc can use this map to convert 
uniformly random elements of J{ka) into uniformly random elements of G[l](fca), provided we 
know e and ha to sufficient Z-adic precision. It is clear that to compute the Kummer map we only 
need to know the image of ha in Z;[t]/(/, I) — Yi\t\/{{t — Vf'). Since G{ka) can be identified with 
a subgroup of ^J{ka), it is annihilated by l'^" , and we have 

J[mka) = Jnka) and G(/e„) = G[r»](/e„). 

This implies that it suffices to know e to precision 0(1''''). 

Let us check that there is a reasonably small a for which (3.14) holds. For any non-negative 
integer 7 the identity 

holds in Fi[t], and the right-hand side maps to zero in Fi[t]/{t — 1)^ if and only HP > b. Since I is 
a prime number, we conclude that the order of t in Fi[t]/{{t — 1)**) equals P, where 7 is the least 
non-negative integer such that P > b. 



39 



Algorithm 3.11 (Computing the l-torsion of the Picard group). Let X be a projective curve 
over a finite field k witli q elements, let J be its Jacobian, and let I be a prime number different 

(7) 

from the characteristic of k. Given the fc-algebra S)^' and the characteristic polynomial x of the 
Frobenius cndomorphism of J over fc, this algorithm outputs an F;-basis for J[l]{k) = (PicX)[l]. 
The algorithm depends on a parameter a G (0, 1). 

1. Factor x mod I in Fi[t] as 

iX mod l) = f-f^, 

where / is the greatest power of t — 1 dividing x mod I, say f = {t — 1)^, and lift this to a 
factorisation 

in coprime monic polynomials in Z; [t] . 

2. Compute the non- negative integer r defined by 







r 

16-1 + 


logYT^ 


log/ 



if 6 = 0; 
if 6 > 1. 



3. Define a = 1'', where 7 is the least non- negative integer such that P > b. Generate a finite 
extension ka of degree a of fc. Factor :^J[ka) as 

# J(fca) = r^mo with I \ ma- 

Compute the image of the idempotent e in (Z//'^"Z)[<]/(x) using the extended Euclidean 
algorithm, and compute the image of ha in Fi[t]/{{t — 1)^) using the definition (3.15) of h„. 

4. Generate r uniformly random elements of J{ka) as explained in §3.5, and map them to 
elements xi,. . . ,Xr € G[Z](A;a) using the homomorphism (3.16). 

5. Using Algorithm 3.7, compute a basis for the kernel of the F;-linear map 

S:F[-^G[Z](A;„) 

r 

(Ci, . . . , Cf) I > ^ ] C^X-i. 

i=l 

If the dimension of this kernel is greater than r — 6, go to step 4. 

6. Use the F;-linear relations between xi, . . . , Xr computed in the previous step to find a subse- 
quence (yi, ...,?/(,) of (a;i, . . . , Xr) that is an F;-basis of G[l]{ka)- 

7. Let Ad be the matrix with respect to the basis {yi, . . . ,yb) of the F;-linear automorphism 
of G[l] [ka) induced by the Frobenius endomorphism F, of J over k. Compute M by computing 
Fg(t/j) for i = 1, . . . , 6 using Algorithm 3.1 and then applying Algorithm 3.7 to express the 
Fq{yi) as linear combinations of the j/j. 

8. Compute a basis for the kernel of M — /, where / is the 6x6 identity matrix. Map the basis 
elements to elements Zi, . . . , Zt of G[l]{ka) using the injective homomorphism 

¥\ G[l\{ka) 
b 

(ai, ...,ab) I — >y^^aiyi. 

Output {zi,...,zt). 

Analysis. The definition of a implies that a equals the order of t in {Fi[t]/{t — l)**)^, and J[l]{k) 
equals the kernel of Fg — id on G[Z](fca), as remarked before. The elements xi, . . . , x^ of G[Z](fca) 
are uniformly random by the fact that (3.16) is a homomorphism. By Lemma 3.9, they generate 
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the 6-dimensional F;-vector space G[l]{ka) with probabihty at least a. The definition of a also 
implies that 

a < max{l, 2gxl — 1}, 
while the "class number formula" (3.6) gives the upper bound 

log #J(fca) 



< 



< 



log I 

2ff;,l0g(l + g°/^) 

logZ 



This shows that Ca is bounded by a polynomial in g-^, logq and I. For fixed a we therefore reach 
step 6 in expected polynomial time in degCx, log 9 and I. In steps 6-8 we compute a basis for 
the kernel of — id, which is J[l]{k). We conclude that the algorithm is correct and runs in 
probabilistic polynomial time in deg jCx, log 5 and I. o 

Remark. The elements Zj output by the preceding algorithm are defined over k. In general, it 

seems imclcar how to generate /c-vcctor spaces (instead of /ca-vector spaces) representing them. 
However, if we know a fc-rational point on X, then we can use Algorithm 2.13 to accomplish this. 



References 

[1] L. M. Adleman and H. W. Lenstra, Jr., Finding irreducible polynomials over finite fields. In: 
Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing (Berkeley, 
CA, 1986), 350-355. Association for Computing Machinery, New York, 1986. 4 

[2] J. G. BosMAN, Explicit computations with modular Galois representations. Ph.D. thesis, 
Universiteit Leiden, 2008. 1 

[3] P. J. Bruin, An algorithm for computing modular Galois representations. Ph.D. thesis, 

Universiteit Leiden, 2010, in preparation. 1 

[4] J.-M. COUVEIGNES, Linearizing torsion classes in the Picard group of algebraic curves over 
finite fields. Journal of Algebra 321 (2009), 2085-2118. 2, 22 

[5] C. Diem, On arithmetic and the discrete logarithm problem in class groups of curves. Habi- 
litationsschrift, Universitat Leipzig, 2008. 26, 27 

[6] C. Diem, On the discrete logarithm problem in class groups of curves, to appear. 26, 27 

[7] W. Eberly and M. Giesbrecht, Efficient decomposition of associative algebras over finite 
fields. Journal of Symbolic Computation 29 (2000), 441-458. 3 

[8] J.-M. COUVEIGNES and S. J. Edixhoven (editors). Computational aspects of modular forms 
and Galois representations. Princeton University Press, to appear. 1 

[9] S. J. Edixhoven (with J.-M. Couveignes, R. S. de Jong, F. Merkl and J. G. Bosman), 
On the computation of coefficients of a modular form. Preprint, 2006/2009. 
Available online: http://arxiv.org/abs/math.NT/0605244. 1 

[10] G. Frey and H.-G. Ruck, A remark concerning m-divisibility and the discrete logarithm in 
the divisor class group of curves. Mathematics of Computation 62 (1994), 865-874. 30 

[11] R. Hartshorne, Algebraic Geometry. Springer- Verlag, New York, 1977. 5, 6, 11, 12 

[12] K. Khuri-Makdisi, Linear algebra algorithms for divisors on an algebraic curve. Mathematics 
of Computation 73 (2004), no. 245, 333-357. 

Available online: http://arxiv.org/abs/niath.NT/0105182. 1, 5, 6, 7, 17 

[13] K. Khuri-Makdisi, Asymptotically fast group operations on Jacobians of general curves. 

Mathematics of Computation 76 (2007), no. 260, 2213-2239. 

Available online: http://arxiv.org/abs/math.NT/0409209. 1, 2, 3, 5, 6, 7, 8, 18 



41 



[14] R. Lazarsfeld, a sampling of vector bundle techniques in the study of linear series. In: M. 
CORNALBA, X. Gomez-Mont and A. Verjovsky (editors), Lectures on Riemann Surfaces 
(Trieste, 1987), 500-559. World Scientific Publishing, Teaneck, NJ, 1989. 5, 6 

[15] M. O. Rabin, Probabilistic algorithms in finite fields. SIAM Journal on Computing 9 (1980), 
no. 2, 273-280. 4 

[16] E. F. SCHAEFER, A new proof for the non-degeneracy of the Frey-Riick pairing and a con- 
nection to isogenics over the base field. In: T. Shaska (editor). Computational Aspects of 
Algebraic Curves (Conference held at the University of Idaho, 2005), 1-12. Lecture Notes 
Series in Computing 13. World Scientific Publishing, Hackensack, NJ, 2005. 30 

[17] Theorie des topos et cohomologie etale des schemas (SGA 4). Tome 3 (exposes IX a XIX). 
Seminaire de Geometric Algebrique du Bois-Marie 1963-1964, dirige par M. Artin, A. Gro- 
thendieck ct .J.-L. Verdier, avcc la collaboration dc P. Deligne et B. Saint-Donat. 
Lecture Notes in Mathematics 305. Springer- Verlag, Berlin/Heidelberg/New York, 1973. 10, 
11, 31 

[18] W. A. Stein, Modular Forms, a Computational Approach. With an appendix by P. E. 
GUNNELLS. American Mathematical Society, Providence, RI, 2007. 1, 6 



Peter Bruin 
Univcrsitcit Leiden 
Mathematisch Instituut 
Postbus 9512 
2300 RA Leiden 
Netherlands 

pbruinOmath . leidenuniv . nl 



42 



